src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java

*** 128,140 ****
              };
              CK_ECDH1_DERIVE_PARAMS ckParams =
                      new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue);
              attributes = token.getAttributes
                  (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes);
!             long keyID = token.p11.C_DeriveKey(session.id(),
                  new CK_MECHANISM(mechanism, ckParams), privateKey.keyID,
                  attributes);
              attributes = new CK_ATTRIBUTE[] {
                  new CK_ATTRIBUTE(CKA_VALUE)
              };
              token.p11.C_GetAttributeValue(session.id(), keyID, attributes);
              byte[] secret = attributes[0].getByteArray();
--- 128,146 ----
              };
              CK_ECDH1_DERIVE_PARAMS ckParams =
                      new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue);
              attributes = token.getAttributes
                  (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes);
!             privateKey.incNativeKeyRef();
!             long keyID;
!             try {
!                 keyID = token.p11.C_DeriveKey(session.id(),
                          new CK_MECHANISM(mechanism, ckParams), privateKey.keyID,
                  attributes);
+             } finally {
+                 privateKey.decNativeKeyRef();
+             }
              attributes = new CK_ATTRIBUTE[] {
                  new CK_ATTRIBUTE(CKA_VALUE)
              };
              token.p11.C_GetAttributeValue(session.id(), keyID, attributes);
              byte[] secret = attributes[0].getByteArray();
*** 190,209 ****
              };
              CK_ECDH1_DERIVE_PARAMS ckParams =
                      new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue);
              attributes = token.getAttributes
                  (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
!             long keyID = token.p11.C_DeriveKey(session.id(),
                  new CK_MECHANISM(mechanism, ckParams), privateKey.keyID,
                  attributes);
              CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] {
                  new CK_ATTRIBUTE(CKA_VALUE_LEN),
              };
              token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes);
              int keyLen = (int)lenAttributes[0].getLong();
              SecretKey key = P11Key.secretKey
!                         (session, keyID, algorithm, keyLen << 3, attributes);
              return key;
          } catch (PKCS11Exception e) {
              throw new InvalidKeyException("Could not derive key", e);
          } finally {
              publicValue = null;
--- 196,221 ----
              };
              CK_ECDH1_DERIVE_PARAMS ckParams =
                      new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue);
              attributes = token.getAttributes
                  (O_GENERATE, CKO_SECRET_KEY, keyType, attributes);
!             privateKey.incNativeKeyRef();
!             long keyID;
!             try {
!                 keyID = token.p11.C_DeriveKey(session.id(),
                          new CK_MECHANISM(mechanism, ckParams), privateKey.keyID,
                  attributes);
+             } finally {
+                 privateKey.decNativeKeyRef();
+             }
              CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] {
                  new CK_ATTRIBUTE(CKA_VALUE_LEN),
              };
              token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes);
              int keyLen = (int)lenAttributes[0].getLong();
              SecretKey key = P11Key.secretKey
!                         (session, keyID, algorithm, keyLen << 3, attributes, true);
              return key;
          } catch (PKCS11Exception e) {
              throw new InvalidKeyException("Could not derive key", e);
          } finally {
              publicValue = null;