diff --git a/SOURCES/opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch b/SOURCES/opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
new file mode 100644
index 0000000..ccc3238
--- /dev/null
+++ b/SOURCES/opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
@@ -0,0 +1,116 @@
+commit ab740fd0d596914919719ecbee90b0ad5fbb7112
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Nov 10 08:54:23 2025 +0100
+
+    EP11: Fix private secure key blob import
+    
+    Newer EP11 firmware versions do not allow to get attribute CKA_VALUE_LEN
+    for private keys, because CKA_VALUE_LEN is not defined for these
+    key types. This now causes error CKR_ATTRIBUTE_TYPE_INVALID.
+    Older firmware versions ignored that and did not fail if CKA_VALUE_LEN
+    was attempted to be retrieved.
+    
+    Use separate templates for getting the attributes of public, private or
+    secret keys, and get CKA_VALUE_LEN only for secret keys.
+    
+    Fixes: 169ab762c283ca341350580c2c080720e62967e8
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 4e6944e6..b6a9c014 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -5386,13 +5386,24 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+     CK_KEY_TYPE blob_type2 = CK_UNAVAILABLE_INFORMATION;
+     CK_ULONG value_len, value_len2, stdcomp, stdcomp2;
+     CK_BYTE buf[MAX_BLOBSIZE];
+-    CK_ATTRIBUTE get_attr[] = {
+-        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) }, /* must be first */
++    CK_ATTRIBUTE get_attr_pub[] = {
++        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
++    };
++    CK_ULONG get_attr_pub_num = sizeof(get_attr_pub) / sizeof(CK_ATTRIBUTE);
++    CK_ATTRIBUTE get_attr_priv[] = {
++        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
++        { CKA_IBM_STD_COMPLIANCE1, &stdcomp, sizeof(stdcomp) },
++        { CKA_PUBLIC_KEY_INFO, &buf, sizeof(buf) },
++    };
++    CK_ULONG get_attr_priv_num = sizeof(get_attr_priv) / sizeof(CK_ATTRIBUTE);
++    CK_ATTRIBUTE get_attr_sec[] = {
++        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
+         { CKA_VALUE_LEN, &value_len, sizeof(value_len) },
+         { CKA_IBM_STD_COMPLIANCE1, &stdcomp, sizeof(stdcomp) },
+-        { CKA_PUBLIC_KEY_INFO, &buf, sizeof(buf) } /* SPKI must be last */
+     };
+-    CK_ULONG get_attr_num = sizeof(get_attr) / sizeof(CK_ATTRIBUTE);
++    CK_ULONG get_attr_sec_num = sizeof(get_attr_sec) / sizeof(CK_ATTRIBUTE);
++    CK_ATTRIBUTE *get_attr = NULL;
++    CK_ULONG get_attr_num = 0;
+     CK_ATTRIBUTE get_attr2[] = {
+         { CKA_KEY_TYPE, &blob_type2, sizeof(blob_type2) },
+         { CKA_VALUE_LEN, &value_len2, sizeof(value_len2) },
+@@ -5629,10 +5640,22 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+         }
+     }
+ 
+-    if (class == CKO_PUBLIC_KEY)
+-        get_attr_num = 1; /* get only key type for public key */
+-    if (class == CKO_SECRET_KEY)
+-        get_attr_num--; /* don't get SPKI for secret key */
++    switch (class) {
++    case CKO_PUBLIC_KEY:
++        get_attr = get_attr_pub;
++        get_attr_num = get_attr_pub_num;
++        break;
++    case CKO_PRIVATE_KEY:
++        get_attr = get_attr_priv;
++        get_attr_num = get_attr_priv_num;
++        break;
++    case CKO_SECRET_KEY:
++        get_attr = get_attr_sec;
++        get_attr_num = get_attr_sec_num;
++        break;
++    default:
++        return CKR_KEY_TYPE_INCONSISTENT;
++    }
+ 
+     /* Get Key type and SPKI for private keys */
+     blob1_len = keytype == CKK_AES_XTS ? blob_len / 2 : blob_len;
+@@ -5713,8 +5736,8 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+ 
+     case CKO_PRIVATE_KEY:
+         rc = import_blob_private_public(tokdata, sess, obj, keytype,
+-                                        get_attr[get_attr_num - 1].pValue,
+-                                        get_attr[get_attr_num - 1].ulValueLen,
++                                        get_attr_priv[get_attr_priv_num - 1].pValue,
++                                        get_attr_priv[get_attr_priv_num - 1].ulValueLen,
+                                         FALSE);
+         if (rc != CKR_OK) {
+             TRACE_ERROR("%s import_blob_public failed rc=0x%lx\n",
+@@ -5733,15 +5756,17 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+         break;
+     }
+ 
+-    rc = template_build_update_attribute(obj->template, CKA_IBM_STD_COMPLIANCE1,
+-                                         (CK_BYTE *)&stdcomp, sizeof(stdcomp));
+-    if (rc != CKR_OK) {
+-        TRACE_ERROR("%s template_build_update_attribute failed rc=0x%lx\n",
+-                    __func__, rc);
+-        return rc;
+-    }
+-
+     if (class != CKO_PUBLIC_KEY) {
++        rc = template_build_update_attribute(obj->template,
++                                             CKA_IBM_STD_COMPLIANCE1,
++                                             (CK_BYTE *)&stdcomp,
++                                             sizeof(stdcomp));
++        if (rc != CKR_OK) {
++            TRACE_ERROR("%s template_build_update_attribute failed rc=0x%lx\n",
++                        __func__, rc);
++            return rc;
++        }
++
+         /* Set CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE */
+         rc = key_mgr_apply_always_sensitive_never_extractable_attrs(tokdata,
+                                                                     obj);
diff --git a/SOURCES/opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch b/SOURCES/opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
new file mode 100644
index 0000000..7d32afb
--- /dev/null
+++ b/SOURCES/opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
@@ -0,0 +1,50 @@
+commit d3dc88c720fdbf56a64f3990148387649f366aeb
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Nov 6 15:27:36 2025 +0100
+
+    EP11: Fix unwrapping of attribute bound EC keys
+    
+    Newer EP11 firmware versions do not allow to get attribute CKA_VALUE_LEN
+    for non-symmetric keys, because CKA_VALUE_LEN is not defined for these
+    key types. This now causes error CKR_ATTRIBUTE_TYPE_INVALID.
+    Older firmware versions ignored that and did not fail if CKA_VALUE_LEN
+    was attempted to be retrieved.
+    
+    Fix this by only attempting to obtain CKA_VALUE_LEN for keys that support
+    this attribute.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 1baa5443..4e6944e6 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -2222,17 +2222,26 @@ static CK_RV ab_unwrap_update_template(STDLL_TokData_t * tokdata,
+         {CKA_KEY_TYPE,          &template_keytype,  sizeof(template_keytype)},
+         {CKA_VALUE_LEN,         &valuelen,          sizeof(valuelen)},
+     };
++    CK_ULONG num_attrs = sizeof(attrs) / sizeof(CK_ATTRIBUTE);
+     CK_ULONG i;
+     CK_ATTRIBUTE *attr;
+     CK_BBOOL cktrue = TRUE;
+     CK_BYTE *useblob;
+     size_t useblob_len;
+ 
++    switch (keytype) {
++    case CKK_GENERIC_SECRET:
++    case CKK_AES:
++        break;
++    default:
++        num_attrs -= 1; /* No CKA_VALUE_LEN attribute */
++        break;
++    }
++
+     RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
+     RETRY_REENC_BLOB_START(tokdata, target_info, obj, blob, blob_len,
+                            useblob, useblob_len, rc)
+-        rc = dll_m_GetAttributeValue(useblob, useblob_len, attrs,
+-                                     sizeof(attrs) / sizeof(CK_ATTRIBUTE),
++        rc = dll_m_GetAttributeValue(useblob, useblob_len, attrs, num_attrs,
+                                      target_info->target);
+     RETRY_REENC_BLOB_END(tokdata, target_info, useblob, useblob_len, rc)
+     RETRY_SESSION_SINGLE_APQN_END(rc, tokdata, session)
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 2bb3efd..c78c8f4 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
 Version: 3.25.0
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -28,6 +28,14 @@ Patch11: opencryptoki-3.25.0-covscan-findings.patch
 # Remove the use of MD5, pkcsslotd crashes in FIPS mode
 Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch
 
+# EP11: Fix unwrapping of attribute bound EC keys
+# https://github.com/ifranzki/opencryptoki/commit/d3dc88c
+Patch13: opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
+
+# EP11: Fix private secure key blob import
+# https://github.com/ifranzki/opencryptoki/commit/ab740fd
+Patch14: opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
+
 Requires(pre): coreutils
 Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
 BuildRequires: gcc gcc-c++
@@ -413,6 +421,11 @@ fi
 
 
 %changelog
+* Tue Feb 03 2026 Than Ngo <than@redhat.com> - 3.25.0-4.1
+- Fix unwrapping of attribute bound EC keys
+- Fix private secure key blob import
+  Resolves: RHEL-131644
+
 * Wed Aug 13 2025 Than Ngo <than@redhat.com> - 3.25.0-4
 - Fix pkcsslotd fails to start in FIPS
 - Drop tier1 test as it mostly provides duplicate results