diff --git a/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json b/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json
index 8bc0c74ae5a..1a619d0289b 100644
--- a/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json
+++ b/SPECS-EXTENDED/opencryptoki/opencryptoki.signatures.json
@@ -1,6 +1,6 @@
 {
-  "Signatures": {
-    "opencryptoki.module": "d335359abeb5d4d1e684841f055ac99b98e8fcc77578e480ef86ef2621ab363d",
-    "opencryptoki-3.17.0.tar.gz": "785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee"
-  }
-}
+ "Signatures": {
+  "opencryptoki-3.24.0.tar.gz": "36873a867853b2327ca42ec231be8603d83cac2008ead23296b522fe64443764",
+  "opencryptoki.module": "d335359abeb5d4d1e684841f055ac99b98e8fcc77578e480ef86ef2621ab363d"
+ }
+}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/opencryptoki/opencryptoki.spec b/SPECS-EXTENDED/opencryptoki/opencryptoki.spec
index 51fc60e70b6..003d201ec29 100644
--- a/SPECS-EXTENDED/opencryptoki/opencryptoki.spec
+++ b/SPECS-EXTENDED/opencryptoki/opencryptoki.spec
@@ -1,56 +1,60 @@
-Summary:        Implementation of the PKCS#11 (Cryptoki) specification v2.11
-Name:           opencryptoki
-Version:        3.17.0
-Release:        2%{?dist}
-License:        CPL
+Name: opencryptoki
+Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
+Version: 3.24.0
+Release: 3%{?dist}
+License: CPL-1.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-URL:            https://github.com/opencryptoki/opencryptoki
-Source0:        https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Source1:        opencryptoki.module
-# https://bugzilla.redhat.com/show_bug.cgi?id=732756
-Patch0:         opencryptoki-3.11.0-group.patch
-# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
-Patch1:         opencryptoki-3.11.0-lockdir.patch
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  bison
-BuildRequires:  expect
-BuildRequires:  flex
-BuildRequires:  gcc
-BuildRequires:  libtool
-BuildRequires:  openldap-devel
-BuildRequires:  openssl-devel
-BuildRequires:  systemd
-%if !0%{?azl}
-# Azure Linux only supports tpm 2.0, so drop tpm 1.2 support
-BuildRequires:  trousers-devel
+URL: https://github.com/opencryptoki/opencryptoki
+Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1: opencryptoki.module
+# fix install problem in buildroot
+Patch1: opencryptoki-3.24.0-p11sak.patch
+# upstream patches
+Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
+
+Requires(pre): coreutils
+Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
+BuildRequires: gcc gcc-c++
+BuildRequires: openssl-devel >= 1.1.1
+%if 0%{?tmptok}
+BuildRequires: trousers-devel
 %endif
-Requires:       %{name}(token)
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(post): systemd
-Requires(postun): systemd
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  coreutils
-Requires(preun): systemd
+BuildRequires: openldap-devel
+BuildRequires: autoconf automake libtool
+BuildRequires: bison flex
+BuildRequires: libcap-devel
+BuildRequires: expect
+BuildRequires: make
+BuildRequires: systemd-rpm-macros
 %ifarch s390 s390x
-BuildRequires:  libica-devel >= 2.3
+BuildRequires: libica-devel >= 3.3
+# for /usr/include/libudev.h
+BuildRequires: systemd-devel
 %endif
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}(token)
+Requires(post): systemd diffutils
+Requires(preun): systemd
+Requires(postun): systemd
+
 
 %description
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
 hardware.
 This package contains the Slot Daemon (pkcsslotd) and general utilities.
 
+
 %package libs
-Summary:        The run-time libraries for opencryptoki package
-Requires(pre):  shadow-utils
+Summary: The run-time libraries for opencryptoki package
+Requires(pre): shadow-utils
 
 %description libs
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -59,22 +63,24 @@ This package contains the PKCS#11 library implementation, and requires
 at least one token implementation (packaged separately) to be fully
 functional.
 
+
 %package devel
-Summary:        Development files for openCryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Summary: Development files for openCryptoki
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description devel
 This package contains the development header files for building
 opencryptoki and PKCS#11 based applications
 
+
 %package swtok
-Summary:        The software token implementation for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: The software token implementation for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description swtok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -82,31 +88,31 @@ hardware.
 This package brings the software token implementation to use opencryptoki
 without any specific cryptographic hardware.
 
-%if !0%{?azl}
+
 %package tpmtok
-Summary:        Trusted Platform Module (TPM) device support for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: Trusted Platform Module (TPM) device support for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description tpmtok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
 hardware.
 This package brings the necessary libraries and files to support
 Trusted Platform Module (TPM) devices in the opencryptoki stack.
-%endif
+
 
 %package icsftok
-Summary:        ICSF token support for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: ICSF token support for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description icsftok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -114,15 +120,15 @@ hardware.
 This package brings the necessary libraries and files to support
 ICSF token in the opencryptoki stack.
 
-%ifarch s390 s390x
+
 %package icatok
-Summary:        ICA cryptographic devices (clear-key) support for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: ICA cryptographic devices (clear-key) support for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description icatok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -133,13 +139,13 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
 "accelerator" or "clear-key" path.
 
 %package ccatok
-Summary:        CCA cryptographic devices (secure-key) support for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: CCA cryptographic devices (secure-key) support for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description ccatok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -150,13 +156,13 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
 "co-processor" or "secure-key" path.
 
 %package ep11tok
-Summary:        CCA cryptographic devices (secure-key) support for opencryptoki
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-Requires(pre):  %{name}-libs%{?_isa} = %{version}-%{release}
-Provides:       %{name}(token)
+Summary: EP11 cryptographic devices (secure-key) support for opencryptoki
+Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Provides: %{name}(token)
 
 %description ep11tok
-Opencryptoki implements the PKCS#11 specification v2.11 for a set of
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
 cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
 Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
 token implementation that can be used without any cryptographic
@@ -165,7 +171,6 @@ This package brings the necessary libraries and files to support EP11
 tokens in the opencryptoki stack. The EP11 token is a token that uses
 the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
 configured with Enterprise PKCS#11 (EP11) firmware.
-%endif
 
 
 %prep
@@ -176,28 +181,53 @@ configured with Enterprise PKCS#11 (EP11) firmware.
 ./bootstrap.sh
 
 %configure --with-systemd=%{_unitdir} --enable-testcases	\
-%if 0%{?azl}
+    --with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
+%if 0%{?tpmtok}
+    --enable-tpmtok \
+%else
     --disable-tpmtok \
 %endif
+%ifarch s390 s390x x86_64 ppc64le
+    --enable-ccatok \
+%else
+    --disable-ccatok \
+%endif
 %ifarch s390 s390x
-    --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
+    --enable-icatok --enable-ep11tok --enable-pkcsep11_migrate
 %else
-    --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
+    --disable-icatok --disable-ep11tok --disable-pkcsep11_migrate --enable-pkcscca_migrate
 %endif
 
-make %{?_smp_mflags} CHGRP=/bin/true
+%make_build CHGRP=/bin/true
 
 
 %install
-make install DESTDIR=%{buildroot} CHGRP=/bin/true
-install -Dpm 644 %{SOURCE1} %{buildroot}%{_datadir}/p11-kit/modules/opencryptoki.module
+%make_install CHGRP=/bin/true
+
 
+%pre
+# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
+# backup config file. bz#2044179
+%global cfile /etc/opencryptoki/opencryptoki.conf
+%global csuffix .rpmsave.XyoP
+if test $1 -gt 1 && test -f %{cfile} ; then
+    cp -p %{cfile} %{cfile}%{csuffix}
+fi
 
 %pre libs
 getent group pkcs11 >/dev/null || groupadd -r pkcs11
+getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
 exit 0
 
 %post
+# restore the config file from %pre
+if test $1 -gt 1 && test -f %{cfile} ; then
+    if ( ! cmp -s %{cfile} %{cfile}%{csuffix} ) ; then
+        cp -p %{cfile} %{cfile}.rpmnew
+    fi
+    cp -p %{cfile}%{csuffix} %{cfile} && rm -f %{cfile}%{csuffix}
+fi
+
 %systemd_post pkcsslotd.service
 if test $1 -eq 1; then
 	%tmpfiles_create %{name}.conf
@@ -209,21 +239,33 @@ fi
 %postun
 %systemd_postun_with_restart pkcsslotd.service
 
+
 %files
 %doc ChangeLog FAQ README.md
 %doc doc/opencryptoki-howto.md
 %doc doc/README.token_data
+%doc %{_docdir}/%{name}/*.conf
 %dir %{_sysconfdir}/%{name}
-%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
+%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
 %{_tmpfilesdir}/%{name}.conf
 %{_unitdir}/pkcsslotd.service
-%{_sbindir}/pkcsconf
-%{_sbindir}/pkcsslotd
 %{_sbindir}/p11sak
 %{_sbindir}/pkcstok_migrate
-%{_mandir}/man1/pkcsconf.1*
+%{_sbindir}/pkcsconf
+%{_sbindir}/pkcsslotd
+%{_sbindir}/pkcsstats
+%{_sbindir}/pkcshsm_mk_change
+%{_sbindir}/pkcstok_admin
 %{_mandir}/man1/p11sak.1*
 %{_mandir}/man1/pkcstok_migrate.1*
+%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/pkcsstats.1*
+%{_mandir}/man1/pkcshsm_mk_change.1*
+%{_mandir}/man1/pkcstok_admin.1*
+%{_mandir}/man5/policy.conf.5*
+%{_mandir}/man5/strength.conf.5*
 %{_mandir}/man5/%{name}.conf.5*
 %{_mandir}/man5/p11sak_defined_attrs.conf.5*
 %{_mandir}/man7/%{name}.7*
@@ -231,16 +273,17 @@ fi
 %{_libdir}/opencryptoki/methods
 %{_libdir}/pkcs11/methods
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
+%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
 %ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
-%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
+%dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
 
 %files libs
 %license LICENSE
 %{_sysconfdir}/ld.so.conf.d/*
 # Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
 # needs them in the main package, because:
-# documentation suggests that programs should dlopen "PKCS11_API.so".
+#   documentation suggests that programs should dlopen "PKCS11_API.so".
 %dir %{_libdir}/opencryptoki
 %{_libdir}/opencryptoki/libopencryptoki.*
 %{_libdir}/opencryptoki/PKCS11_API.so
@@ -249,13 +292,11 @@ fi
 %{_libdir}/pkcs11/libopencryptoki.so
 %{_libdir}/pkcs11/PKCS11_API.so
 %{_libdir}/pkcs11/stdll
-# Co-owned with p11-kit
-%dir %{_datadir}/p11-kit/
-%dir %{_datadir}/p11-kit/modules/
-%{_datadir}/p11-kit/modules/opencryptoki.module
+%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
 
 %files devel
 %{_includedir}/%{name}/
+%{_libdir}/pkgconfig/%{name}.pc
 
 %files swtok
 %{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
@@ -263,7 +304,7 @@ fi
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
 
-%if !0%{?azl}
+%if 0%{?tmptok}
 %files tpmtok
 %doc doc/README.tpm_stdll
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
@@ -285,16 +326,21 @@ fi
 %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
+%endif
 
+%ifarch s390 s390x x86_64 ppc64le
 %files ccatok
 %doc doc/README.cca_stdll
+%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf
 %{_sbindir}/pkcscca
 %{_mandir}/man1/pkcscca.1*
 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
 %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
+%endif
 
+%ifarch s390 s390x
 %files ep11tok
 %doc doc/README.ep11_stdll
 %config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
@@ -311,17 +357,199 @@ fi
 
 
 %changelog
-* Fri Mar 29 2024 Chris Co <chrco@microsoft.com> - 3.17.0-2
-- Drop tpm 1.2 support
-
-* Mon Sep 04 2023 Muhammad Falak <mwani@microsoft.com> - 3.17.0-1
-- Upgrade version to address CVE-2021-3798
-- Lint spec
+* Wed Jan 15 2025 Durga Jagadeesh Palli <v-dpalli@microsoft.com> - 3.24.0-3
+- Update to 3.24.0
 - License verified
 
-* Thu Mar 18 2021 Henry Li <lihl@microsoft.com> - 3.13.0-2
-- Initial CBL-Mariner import from Fedora 32 (license: MIT).
-- Remove libitm-devel from build requirement because gcc already includes the necessary binaries it covers
+* Fri Sep 13 2024 Than Ngo <than@redhat.com> - 3.24.0-2
+- build with --enable-pkcscca_migrate
+- fix build error due to incompatible pointer types
+
+* Fri Sep 13 2024 Than Ngo <than@redhat.com> - 3.24.0-1
+- Update to 3.24.0
+  * Add support for building Opencryptoki on the IBM AIX platform
+  * Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
+  * Add support for protecting tokens with a token specific user group
+  * EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
+  * CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
+  * CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM).
+    On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and CCA v8.0 for the Round 3 variants.
+    On other platforms: Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
+  * CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt. Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
+  * CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms. Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
+  * ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
+  * ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
+  * ICA/Soft: Add support for SHA based key derivation mechanisms
+  * ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
+  * EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
+  * EP11/CCA: Support live guest relocation for protected key (PKEY) operations
+  * Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
+  * ICSF: Add support for SHA-2 mechanisms
+  * ICSF: Performance improvements for attribute retrieval
+  * p11sak: Add support for exporting a key or certificate as URI-PEM file
+  * p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
+  * p11sak: Add option to show the master key verification patterns of secure keys
+  * Bug fixes
+- Remove i686 support as upsrtream will get rid of 32-bit support, https://github.com/opencryptoki/opencryptoki/issues/174
+- Remove lockdir.patch
+
+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.23.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Feb 07 2024 Than Ngo <than@redhat.com> - 3.23.0-1
+- 3.23.0
+   * EP11: Add support for FIPS-session mode
+   * Updates to harden against RSA timing attacks
+   * Bug fixes
+
+* Tue Jan 30 2024 Dan Horák <dan[at]danny.cz> - 3.22.0-4
+- fix all errors and warnings (rhbz#2261419)
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Sep 21 2023 Than Ngo <than@redhat.com> - 3.22.0-1
+- update to 3.22.0
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 17 2023 Than Ngo <than@redhat.com> - 3.21.0-5
+- p11sak tool: slot option does not accept argument 0 for slot index 0
+- p11sak fails as soon as there reside non-key objects
+
+* Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4
+- add verify attributes for opencryptoki.conf to ignore the
+  verification 
+
+* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
+- drop p11_kit_support
+- fix handling of user name
+- fix user confirmation prompt behavior when stdin is closed
+
+* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
+- add missing /var/lib/opencryptoki/HSM_MK_CHANGE 
+
+* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
+- update to 3.21.0
+
+* Tue Feb 14 2023 Than Ngo <than@redhat.com> - 3.20.0-2
+- migrated to SPDX license
+
+* Mon Feb 13 2023 Than Ngo <than@redhat.com> - 3.20.0-1
+- update to 3.20.0
+- drop unnecessary opencryptoki-3.11.0-group.patch
+
+* Wed Feb 08 2023 Than Ngo <than@redhat.com> - 3.19.0-3
+- Add support of ep11 token for new IBM Z Hardware (IBM z16)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.19.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
+- update to 3.19.0
+
+* Wed Sep 14 2022 Florian Weimer <fweimer@redhat.com> - 3.18.0-5
+- Add missing build dependency on systemd-rpm-macros
+
+* Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-4
+- fix json output
+- do not touch opencryptoki.conf if it is in place already and even if it is unchanged
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.18.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
+- add missing strength.conf
+
+* Mon May 02 2022 Than Ngo <than@redhat.com> - 3.18.0-1
+- 3.18.0
+
+* Wed Apr 20 2022 Dan Horák <dan[at]danny.cz> - 3.17.0-7
+- fix initialization (#2075851, #2074587)
+
+* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-6
+- add tokversion
+
+* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-5
+- upstream fixes - openssl cleanup for opencryptoki, Avoid deadlock when stopping event thread
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.17.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Nov 25 2021 Than Ngo <than@redhat.com> - 3.17.0-3
+- fix covscan issues
+
+* Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
+- add missing config file p11sak_defined_attrs.conf
+
+* Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1
+- rebase to 3.17.0
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.16.0-5
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Sep 03 2021 Than Ngo <than@redhat.com> - 3.16.0-4
+- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
+- Resolves: #1974365, Fix detection if pkcsslotd is still running
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jun 30 2021 Than Ngo <than@redhat.com> - 3.16.0-2
+- Added Event Notification Support
+- Added conditional requirement on selinux-policy  >= 34.10-1
+- pkcsslotd PIDfile below legacy directory
+- Added BR on systemd-devel
+
+* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
+- Rebase to 3.16.0
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
+- Added upstream patch, a slot ID has nothing to do with the number of slots
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
+- Drop tpm1.2 support by default
+
+* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
+- Fix compiling with c++
+- Added error message handling for p11sak remove-key command
+- Add BR on make
+
+* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
+- Rebase to 3.15.1
+
+* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
+- Rebase to 3.15.0
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
+- added PIN conversion tool
+
+* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
+- upstream fix - handle early error cases in C_Initialize
+
+* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
+- fix regression, segfault in C_SetPin
+
+* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
+- Rebase to 3.14.0
 
 * Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
 - Rebase to 3.13.0
diff --git a/cgmanifest.json b/cgmanifest.json
index 5832a4ca3ec..ba2e03d32dc 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -15093,8 +15093,8 @@
         "type": "other",
         "other": {
           "name": "opencryptoki",
-          "version": "3.17.0",
-          "downloadUrl": "https://github.com/opencryptoki/opencryptoki/archive/v3.17.0/opencryptoki-3.17.0.tar.gz"
+          "version": "3.24.0",
+          "downloadUrl": "https://github.com/opencryptoki/opencryptoki/archive/v3.24.0/opencryptoki-3.24.0.tar.gz"
         }
       }
     },