Applied a patch (bsc#1256673, CVE-2026-22791).

Modified the .spec file for Immutable Mode (jsc#PED-14798)

ocki-3.26-remove-make-install-chgrp.patch

@@ -1,5 +1,5 @@
---- a/Makefile.am	2025-06-10 08:52:39.000000000 +0200
-+++ b/Makefile.am	2025-06-16 12:25:31.040661532 +0200
+--- a/Makefile.am	2025-11-11 08:58:19.000000000 +0100
++++ b/Makefile.am	2025-11-12 10:21:00.563936369 +0100
 @@ -51,19 +51,9 @@
  include doc/doc.mk
  

openCryptoki-CVE-2026-22791-commit-e37e912.patch

@@ -0,0 +1,113 @@
+From e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 8 Jan 2026 10:48:29 +0100
+Subject: [PATCH] COMMON: Fix CKM_ECDH_AES_KEY_WRAP buffer size calculation
+ with compressed keys
+
+When a C_WrapKey with CKM_ECDH_AES_KEY_WRAP is performed, and the EC public
+key used with it uses a compressed EC point, then the size of the wrapped
+key material is calculated wrongly. This may lead to an out-of-bounds write
+when the caller provides a buffer of that calculated size.
+
+The temporary EC key generated internally by this mechanism is always
+uses an uncompressed EC point, but the buffer size is erroneously calculated
+using the EC point of the supplied EC public key. Thus, in case a compressed
+EC point is supplied, the buffer size calculation results in a too short
+buffer.
+
+Fix this by calculating the buffer size using the EC point of the internally
+generated EC key, because this is what is later on written to the buffer.
+
+Fixes: 785d7577e1477d12fbe235554e7e7b24f2de34b7
+Reported-by: Pavel Kohout of Aisle Research, www.aisle.com
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/common/mech_ec.c | 54 ++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
+index 2399c1cfb..ce031ec0c 100644
+--- a/usr/lib/common/mech_ec.c
++++ b/usr/lib/common/mech_ec.c
+@@ -1758,6 +1758,31 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+         goto done;
+     }
+ 
++    /* Get the (raw) size of the generated EC point */
++    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
++                                 &pub_key_obj, READ_LOCK);
++    if (rc != CKR_OK) {
++        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
++        if (rc == CKR_OBJECT_HANDLE_INVALID)
++            rc = CKR_KEY_HANDLE_INVALID;
++        goto done;
++    }
++
++    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
++                                          &ec_point);
++    if (rc != CKR_OK) {
++        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
++        goto done;
++    }
++
++    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
++                                  &pub_ec_point, &pub_ec_point_len, &field_len);
++    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
++        rc = CKR_FUNCTION_FAILED;
++        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
++        goto done;
++    }
++
+     /* Perform ECDH to derive a shared AES key */
+     ecdh_params.kdf = params->kdf;
+     ecdh_params.pSharedData = params->pSharedData;
+@@ -1813,7 +1838,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+     }
+ 
+     /* Calculate the final length of the wrapped key data */
+-    total_len = ecdh_params.ulPublicDataLen + wrapped_key_len;
++    total_len = pub_ec_point_len + wrapped_key_len;
+ 
+     if (length_only) {
+         *out_data_len = total_len;
+@@ -1831,31 +1856,6 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      * Copy the (raw) EC point of the public transport EC key as first part of
+      * the wrapped key data.
+      */
+-    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
+-                                 &pub_key_obj, READ_LOCK);
+-    if (rc != CKR_OK) {
+-        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
+-        if (rc == CKR_OBJECT_HANDLE_INVALID)
+-            return CKR_KEY_HANDLE_INVALID;
+-        else
+-            return rc;
+-    }
+-
+-    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
+-                                          &ec_point);
+-    if (rc != CKR_OK) {
+-        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+-    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
+-                                  &pub_ec_point, &pub_ec_point_len, &field_len);
+-    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
+-        rc = CKR_FUNCTION_FAILED;
+-        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+     memcpy(out_data, pub_ec_point, pub_ec_point_len);
+ 
+     /*
+@@ -1864,7 +1864,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      */
+     rc = encr_mgr_encrypt(tokdata, sess, FALSE, &aeskw_ctx,
+                           in_data, in_data_len,
+-                          out_data + ecdh_params.ulPublicDataLen,
++                          out_data + pub_ec_point_len,
+                           &wrapped_key_len);
+     if (rc != CKR_OK) {
+         TRACE_ERROR("Failed to encrypt the to-be-wrapped key: %s (0x%lx)\n",

openCryptoki.changes

@@ -1,5 +1,52 @@
 -------------------------------------------------------------------
-Mon Jul  7 15:12:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Fri Jan 16 08:33:23 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1256673, CVE-2026-22791)
+  * openCryptoki-CVE-2026-22791-commit-e37e912.patch
+- Modified the .spec file for Immutable Mode (jsc#PED-14798) 
+
+-------------------------------------------------------------------
+Wed Nov 12 09:04:02 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCryptoki to 3.26 (jsc#PED-14609) 
+  * Soft: Add support for RSA keys up to 16K bits.
+  * CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
+  * p11sak: Add support for generating RSA keys up to 16K bits.
+  * Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
+  * Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
+  * p11sak: Add support for SHA-HMAC key types and key generation.
+  * p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping 
+    with various key wrapping mechanism.
+  * p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
+  * p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
+  * Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
+  * EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
+  * p11sak: Add support for generating BLS12-381 EC keys.
+  * EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and 
+    a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
+  * CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
+  * Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
+  * p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
+  * Bug fixes. 
+- Removed obsolete patches
+  * ocki-3.25-remove-make-install-chgrp.patch 
+  * ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+- Applied a new patch for version 3.26
+  * ocki-3.26-remove-make-install-chgrp.patch 
+
+-------------------------------------------------------------------
+Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1248002) 
+  * ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+
+-------------------------------------------------------------------
+Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
+
+- Add riscv64 to openCryptoki_64bit_arch
+
+-------------------------------------------------------------------
+Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
 - Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
   * Updates/add supports
@@ -23,17 +70,17 @@ Mon Jul  7 15:12:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
     - ocki-3.24-remove-group-from-tests.patch
     - ocki-3.24-remove-make-install-chgrp.patch
   * Applied a new patch for version 3.25
-    - ocki-3.25-remove-make-install-chgrp.patch
-  * Bug fixes
+    - ocki-3.25-remove-make-install-chgrp.patch 
+  * Bug fixes 
 
 -------------------------------------------------------------------
-Wed Dec 11 07:35:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Wed Dec 11 07:25:11 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
-- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
-        (jsc#PED-10291, jsc#PED-10290)
+- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki 
+        (jsc#PED-10291, jsc#PED-10290) 
 
 -------------------------------------------------------------------
-Tue Dec 10 08:13:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
 - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
   * Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
@@ -41,7 +88,7 @@ Tue Dec 10 08:13:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
     - %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
 
 -------------------------------------------------------------------
-Mon Nov 25 11:42:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+Thu Nov 21 10:42:00 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
 - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
 - Improved handling of user/group. use existing user/group if they
@@ -1333,4 +1380,3 @@ Tue Feb  5 11:01:16 CET 2002 - froh@suse.de
 Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
 
 - initial version
-

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
 # support in the workings for: ppc64
 # no support in sight for: ia64
-%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
+%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 riscv64
 # autobuild:/work/cd/lib/misc/group
 #   openCryptoki    pkcs11:x:64:
 %define pkcs11_group_id 64
@@ -27,7 +27,7 @@
 %define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
-Version:        3.25.0
+Version:        3.26.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
@@ -39,8 +39,9 @@ Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
 # Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch000:       ocki-3.25-remove-make-install-chgrp.patch
+Patch000:       ocki-3.26-remove-make-install-chgrp.patch
 #
+Patch010:       openCryptoki-CVE-2026-22791-commit-e37e912.patch
 #
 BuildRequires:  bison
 BuildRequires:  dos2unix
@@ -170,10 +171,25 @@ dos2unix doc/README.ep11_stdll
 %install
 %make_install
 install -d %{buildroot}%{_includedir}
-install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
+# Move data templates from /var to /usr/share/opencryptoki for tmpfiles to use
+install -d %{buildroot}%{_datadir}/opencryptoki/templates
 install -d %{buildroot}%{_initddir}
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
+# Define the tmpfiles.d configuration
+cat > %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf <<EOF
+# Type Path        Mode UID  GID  Age Argument
+d /var/lib/opencryptoki 0755 root pkcs11 - -
+d /var/lib/opencryptoki/swtok 0770 root pkcs11 - -
+d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 - -
+d /var/lib/opencryptoki/tpm 0770 root pkcs11 - -
+d /var/lib/opencryptoki/icsf 0770 root pkcs11 - -
+d /var/log/opencryptoki 0770 root pkcs11 - -
+L+ /etc/pkcs11 - - - - /var/lib/opencryptoki
+EOF
+# Remove manual directory creation in %install that belongs in /var
+rm -rf %{buildroot}%{_localstatedir}/lib/opencryptoki
+rm -rf %{buildroot}%{_localstatedir}/log/opencryptoki
 #
 mkdir -p %{buildroot}%{_datadir}/opencryptoki
 cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
@@ -198,22 +214,13 @@ getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs_group} -r p
 %{service_del_preun pkcsslotd.service}
 
 %post
-# Symlink from /var/lib/opencryptoki to /etc/pkcs11
-if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
-	if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
-		mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
-		cd %{_sysconfdir} && rm -rf pkcs11 && \
-			ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
-	fi
-fi
+# Use the systemd-tmpfiles macro to ensure directories are created on next boot/transaction
+%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf
 /sbin/ldconfig
-%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
 %{service_add_post pkcsslotd.service}
 
 %postun
-if [ -L %{_sysconfdir}/pkcs11 ] ; then
-	rm %{_sysconfdir}/pkcs11
-fi
+/sbin/ldconfig
 %{service_del_postun pkcsslotd.service}
 
 %ifarch %{openCryptoki_32bit_arch}
@@ -281,8 +288,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %ifnarch i586
 %config %{_sysconfdir}/opencryptoki/ccatok.conf
 %{_sbindir}/pkcscca
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
 %endif
 %{_sbindir}/p11kmip
 %{_sbindir}/pkcsslotd
@@ -294,20 +299,12 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories
-%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
-%ifarch s390 s390x
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
-%endif
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
 %{_mandir}/man*/*
 %{_sbindir}/pkcshsm_mk_change
+#
+%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
+# Ensure we don't package files in /var directly
+%ghost %dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
 
 %files devel
 %dir %{_libdir}/opencryptoki
@@ -326,6 +323,10 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
 %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %endif
+%ifnarch i586
+%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
+%endif
+%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
 %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
 %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so