src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Digest.java

*** 141,151 ****
      // see JCA spec
      protected void engineReset() {
          token.ensureValid();
  
          if (session != null) {
!             if (state == S_INIT && token.explicitCancel == true) {
                  session = token.killSession(session);
              } else {
                  session = token.releaseSession(session);
              }
          }
--- 141,152 ----
      // see JCA spec
      protected void engineReset() {
          token.ensureValid();
  
          if (session != null) {
!             if (state == S_INIT && token.explicitCancel == true
!                     && session.hasObjects() == false) {
                  session = token.killSession(session);
              } else {
                  session = token.releaseSession(session);
              }
          }
*** 262,272 ****
--- 263,278 ----
  
              if (bufOfs != 0) {
                  token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs);
                  bufOfs = 0;
              }
+             p11Key.incNativeKeyRef();
+             try {
                  token.p11.C_DigestKey(session.id(), p11Key.keyID);
+             } finally {
+                 p11Key.decNativeKeyRef();
+             }
          } catch (PKCS11Exception e) {
              engineReset();
              throw new ProviderException("update(SecretKey) failed", e);
          }
      }