--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java 2018-06-04 19:27:23.742702548 -0300 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java 2018-06-04 19:27:23.587701447 -0300 @@ -1291,7 +1291,7 @@ } } - return P11Key.secretKey(session, oHandle, keyType, keyLength, null); + return P11Key.secretKey(session, oHandle, keyType, keyLength, null, false); } private PrivateKey loadPkey(Session session, long oHandle) @@ -1326,7 +1326,8 @@ oHandle, keyType, keyLength, - null); + null, + false); } else if (kType == CKK_DSA) { @@ -1341,7 +1342,8 @@ oHandle, keyType, keyLength, - null); + null, + false); } else if (kType == CKK_DH) { @@ -1356,7 +1358,8 @@ oHandle, keyType, keyLength, - null); + null, + false); } else if (kType == CKK_EC) { @@ -1374,7 +1377,7 @@ throw new KeyStoreException("Unsupported parameters", e); } - return P11Key.privateKey(session, oHandle, "EC", keyLength, null); + return P11Key.privateKey(session, oHandle, "EC", keyLength, null, false); } else { if (debug != null) { @@ -1500,6 +1503,7 @@ CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_ID, alias) }; + key.makeNativeKeyPersistent(); token.p11.C_SetAttributeValue (session.id(), key.keyID, attrs); if (debug != null) { @@ -1518,7 +1522,12 @@ if (attribute != null) { attrs = addAttribute(attrs, attribute); } - token.p11.C_CopyObject(session.id(), key.keyID, attrs); + key.incNativeKeyRef(); + try { + token.p11.C_CopyObject(session.id(), key.keyID, attrs); + } finally { + key.decNativeKeyRef(); + } if (debug != null) { debug.println("updateP11Pkey copied private session key " + "for [" + @@ -1626,7 +1635,8 @@ new CK_ATTRIBUTE(CKA_LABEL, alias), }; try { - P11SecretKeyFactory.convertKey(token, skey, null, attrs); + P11Key k = P11SecretKeyFactory.convertKey(token, skey, null, attrs); + k.makeNativeKeyPersistent(); } catch (InvalidKeyException ike) { // re-throw KeyStoreException to match javadoc throw new KeyStoreException("Cannot convert to PKCS11 keys", ike);