diff --git a/SOURCES/softhsm-2.6.1-rh1857272-negatives.patch b/SOURCES/softhsm-2.6.1-rh1857272-negatives.patch
new file mode 100644
index 0000000..049f71c
--- /dev/null
+++ b/SOURCES/softhsm-2.6.1-rh1857272-negatives.patch
@@ -0,0 +1,230 @@
+From cfe1f7fdd12e202fa2d056c7fd731cfeee378a98 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 15 Jul 2020 18:12:32 +0200
+Subject: [PATCH] Unbreak negative mechanism lists in slots.mechanisms +
+ testcase
+
+Previously, when the list for slots.mechanisms was prefixed with
+minus sign "-", the first mechanism was skipped as invalid and
+therefore the tool was presenting wrong list of algorithms.
+
+This fixes the initial index for selection of first algorithm
+and adds unit test for this scenario.
+---
+ .gitignore                                    |  1 +
+ configure.ac                                  |  1 +
+ src/lib/SoftHSM.cpp                           |  9 ++-
+ src/lib/test/InfoTests.cpp                    | 70 ++++++++++++++++++-
+ src/lib/test/InfoTests.h                      |  2 +
+ src/lib/test/Makefile.am                      |  1 +
+ src/lib/test/softhsm2-negative-mech.conf.in   |  8 +++
+ .../test/softhsm2-negative-mech.conf.win32    |  7 ++
+ win32/p11test/p11test.vcxproj.in              |  2 +
+ 9 files changed, 97 insertions(+), 4 deletions(-)
+ create mode 100644 src/lib/test/softhsm2-negative-mech.conf.in
+ create mode 100644 src/lib/test/softhsm2-negative-mech.conf.win32
+
+diff --git a/configure.ac b/configure.ac
+index d4dad435..c6a51c7a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -217,6 +217,7 @@ AC_CONFIG_FILES([
+ 	src/lib/test/softhsm2-alt.conf
+ 	src/lib/test/softhsm2-reset-on-fork.conf
+ 	src/lib/test/softhsm2-mech.conf
++	src/lib/test/softhsm2-negative-mech.conf
+ 	src/lib/test/tokens/dummy
+ 	src/bin/Makefile
+ 	src/bin/common/Makefile
+diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
+index 0a0c32cc..cac724e6 100644
+--- a/src/lib/SoftHSM.cpp
++++ b/src/lib/SoftHSM.cpp
+@@ -791,12 +791,17 @@ void SoftHSM::prepareSupportedMecahnisms(std::map<std::string, CK_MECHANISM_TYPE
+ 	if (mechs != "ALL")
+ 	{
+ 		bool negative = (mechs[0] == '-');
+-		if (!negative)
++		size_t pos = 0, prev = 0;
++		if (negative)
++		{
++			/* Skip the minus sign */
++			prev = 1;
++		}
++		else
+ 		{
+ 			/* For positive list, we remove everything */
+ 			supportedMechanisms.clear();
+ 		}
+-		size_t pos = 0, prev = 0;
+ 		std::string token;
+ 		do
+ 		{
+diff --git a/src/lib/test/InfoTests.cpp b/src/lib/test/InfoTests.cpp
+index a07956fb..d2218e34 100644
+--- a/src/lib/test/InfoTests.cpp
++++ b/src/lib/test/InfoTests.cpp
+@@ -328,9 +328,9 @@ void InfoTests::testGetMechanismListConfig()
+ 	CK_MECHANISM_TYPE_PTR pMechanismList;
+ 
+ #ifndef _WIN32
+-    setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
++	setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
+ #else
+-    setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
++	setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
+ #endif
+ 
+ 	// Just make sure that we finalize any previous failed tests
+@@ -363,6 +363,72 @@ void InfoTests::testGetMechanismListConfig()
+ #endif
+ }
+ 
++void InfoTests::testGetMechanismNegativeListConfig()
++{
++	CK_RV rv;
++	CK_ULONG ulMechCount = 0;
++	CK_MECHANISM_TYPE_PTR pMechanismList;
++	CK_ULONG allMechsCount = 0;
++
++	// Just make sure that we finalize any previous failed tests
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++
++	// First of all, try to get the default list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);
++
++	rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++
++	// Get the size of the buffer
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
++	/* Remember how many mechanisms are supported */
++	allMechsCount = ulMechCount;
++
++	// Get the mechanism list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	CPPUNIT_ASSERT_EQUAL(allMechsCount, ulMechCount);
++	free(pMechanismList);
++
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++	/* Now try with configuration having negative list */
++#ifndef _WIN32
++	setenv("SOFTHSM2_CONF", "./softhsm2-negative-mech.conf", 1);
++#else
++	setenv("SOFTHSM2_CONF", ".\\softhsm2-negative-mech.conf", 1);
++#endif
++
++	rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++
++	// Get the size of the buffer
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	/* We should get 2 shorter */
++	//CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
++	pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
++
++	// Get the mechanism list
++	rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
++	CPPUNIT_ASSERT(rv == CKR_OK);
++	//CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
++	for (unsigned long i = 0; i < ulMechCount; i++) {
++		CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_X_509);
++		CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_PKCS);
++	}
++	free(pMechanismList);
++
++	CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
++#ifndef _WIN32
++	setenv("SOFTHSM2_CONF", "./softhsm2.conf", 1);
++#else
++	setenv("SOFTHSM2_CONF", ".\\softhsm2.conf", 1);
++#endif
++}
++
+ void InfoTests::testWaitForSlotEvent()
+ {
+ 	CK_RV rv;
+diff --git a/src/lib/test/InfoTests.h b/src/lib/test/InfoTests.h
+index dfd02953..1cc99ccb 100644
+--- a/src/lib/test/InfoTests.h
++++ b/src/lib/test/InfoTests.h
+@@ -49,6 +49,7 @@ class InfoTests : public TestsNoPINInitBase
+ 	CPPUNIT_TEST(testGetMechanismInfo);
+ 	CPPUNIT_TEST(testGetSlotInfoAlt);
+ 	CPPUNIT_TEST(testGetMechanismListConfig);
++	CPPUNIT_TEST(testGetMechanismNegativeListConfig);
+ 	CPPUNIT_TEST(testWaitForSlotEvent);
+ 	CPPUNIT_TEST_SUITE_END();
+ 
+@@ -62,6 +63,7 @@ class InfoTests : public TestsNoPINInitBase
+ 	void testGetMechanismInfo();
+ 	void testGetSlotInfoAlt();
+ 	void testGetMechanismListConfig();
++	void testGetMechanismNegativeListConfig();
+ 	void testWaitForSlotEvent();
+ };
+ 
+diff --git a/src/lib/test/Makefile.am b/src/lib/test/Makefile.am
+index 17887dd4..a22ce668 100644
+--- a/src/lib/test/Makefile.am
++++ b/src/lib/test/Makefile.am
+@@ -39,6 +39,7 @@ EXTRA_DIST =			$(srcdir)/CMakeLists.txt \
+ 				$(srcdir)/*.h \
+ 				$(srcdir)/softhsm2-alt.conf.win32 \
+ 				$(srcdir)/softhsm2-reset-on-fork.conf.win32 \
++				$(srcdir)/softhsm2-negative-mech.conf.win32 \
+ 				$(srcdir)/softhsm2-mech.conf.win32 \
+ 				$(srcdir)/softhsm2.conf.win32 \
+ 				$(srcdir)/tokens/dummy.in
+diff --git a/src/lib/test/softhsm2-negative-mech.conf.in b/src/lib/test/softhsm2-negative-mech.conf.in
+new file mode 100644
+index 00000000..51f7e6ac
+--- /dev/null
++++ b/src/lib/test/softhsm2-negative-mech.conf.in
+@@ -0,0 +1,8 @@
++# SoftHSM v2 configuration file
++
++directories.tokendir = @builddir@/tokens
++objectstore.backend = file
++log.level = INFO
++slots.removable = false
++slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
++
+diff --git a/src/lib/test/softhsm2-negative-mech.conf.win32 b/src/lib/test/softhsm2-negative-mech.conf.win32
+new file mode 100644
+index 00000000..a3aefb96
+--- /dev/null
++++ b/src/lib/test/softhsm2-negative-mech.conf.win32
+@@ -0,0 +1,7 @@
++# SoftHSM v2 configuration file
++
++directories.tokendir = .\tokens
++objectstore.backend = file
++log.level = INFO
++slots.removable = false
++slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
+diff --git a/win32/p11test/p11test.vcxproj.in b/win32/p11test/p11test.vcxproj.in
+index 55dfb087..88859bca 100644
+--- a/win32/p11test/p11test.vcxproj.in
++++ b/win32/p11test/p11test.vcxproj.in
+@@ -67,6 +67,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
+ copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
+ copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
+ copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
++copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
+ mkdir "$(TargetDir)\tokens" 2&gt; nul
+ copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
+       </Command>
+@@ -99,6 +100,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
+ copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
+ copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
+ copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
++copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
+ mkdir "$(TargetDir)\tokens" 2&gt; nul
+ copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
+       </Command>
diff --git a/SPECS/softhsm.spec b/SPECS/softhsm.spec
index 4994c92..22b7a55 100644
--- a/SPECS/softhsm.spec
+++ b/SPECS/softhsm.spec
@@ -1,15 +1,18 @@
 #global prever rc1
+# Rebuild configure.ac if patches do change it
+%global rebuild_ac 1
 
 Summary: Software version of a PKCS#11 Hardware Security Module
 Name: softhsm
 Version: 2.6.0
-Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
 Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
 
 Patch1: softhsm-2.6.1-rh1834909-exit.patch
+Patch2: softhsm-2.6.1-rh1857272-negatives.patch
 
 Group: Applications/System
 BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
@@ -33,7 +36,7 @@ with other cryptographic products because of the PKCS#11 interface.
 Summary: Development package of softhsm that includes the header files
 Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel
-%if 0%{?prever:1}
+%if 0%{?prever:!} || 0%{?rebuild_ac}
 BuildRequires: autoconf, libtool, automake
 %endif
 
@@ -43,21 +46,22 @@ The devel package contains the libsofthsm include files
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
 %patch1 -p1
+%patch2 -p1
 
 # remove softhsm/ subdir auto-added to --libdir
 sed -i "s:full_libdir/softhsm:full_libdir:g" configure
-%if 0%{?prever:1}
+%if 0%{?prever:1} || 0%{?rebuild_ac}
 sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac
 %endif
 sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in
 
 sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure
 
-%if 0%{?prever:1}
+%if 0%{?prever:1} || 0%{?rebuild_ac}
 sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure.ac
 %endif
 
-%if 0%{?prever:1}
+%if 0%{?prever:1} || 0%{?rebuild_ac}
 autoreconf -fiv
 %endif
 
@@ -121,6 +125,13 @@ if [ -f /var/softhsm/slot0.db ]; then
 fi
 
 %changelog
+* Mon Feb 15 2021 Thomas Woerner <twoerner@redhat.com> - 2.6.0-5
+- Install prever devel package requirements for new negative option patch
+  Related: RHBZ#1857272
+
+* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-4
+- Fixes: rhbz#1857272 - negative option for token.mechanism not working correctly
+
 * Thu Jun 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-3
 - Fixes: rhbz#1834909 - softhsm use-after-free on process exit
 - Synchronize the final fix with Fedora