--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java 2018-06-04 19:27:20.412678876 -0300 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java 2018-06-04 19:27:20.222677525 -0300 @@ -130,9 +130,15 @@ new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, CKK_GENERIC_SECRET, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, + privateKey.incNativeKeyRef(); + long keyID; + try { + keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, attributes); + } finally { + privateKey.decNativeKeyRef(); + } attributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE) }; @@ -192,16 +198,22 @@ new CK_ECDH1_DERIVE_PARAMS(CKD_NULL, null, publicValue); attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, + privateKey.incNativeKeyRef(); + long keyID; + try { + keyID = token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, ckParams), privateKey.keyID, attributes); + } finally { + privateKey.decNativeKeyRef(); + } CK_ATTRIBUTE[] lenAttributes = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_VALUE_LEN), }; token.p11.C_GetAttributeValue(session.id(), keyID, lenAttributes); int keyLen = (int)lenAttributes[0].getLong(); SecretKey key = P11Key.secretKey - (session, keyID, algorithm, keyLen << 3, attributes); + (session, keyID, algorithm, keyLen << 3, attributes, true); return key; } catch (PKCS11Exception e) { throw new InvalidKeyException("Could not derive key", e);