--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java 2018-06-04 19:27:28.083733408 -0300 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java 2018-06-04 19:27:27.921732257 -0300 @@ -133,12 +133,18 @@ Session session = null; try { session = token.getOpSession(); - token.p11.C_SignInit - (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID); - token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length); - token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); - byte[] out = token.p11.C_SignFinal - (session.id(), spec.getOutputLength()); + byte[] out; + p11Key.incNativeKeyRef(); + try { + token.p11.C_SignInit + (session.id(), new CK_MECHANISM(mechanism), p11Key.keyID); + token.p11.C_SignUpdate(session.id(), 0, label, 0, label.length); + token.p11.C_SignUpdate(session.id(), 0, seed, 0, seed.length); + out = token.p11.C_SignFinal + (session.id(), spec.getOutputLength()); + } finally { + p11Key.decNativeKeyRef(); + } return new SecretKeySpec(out, "TlsPrf"); } catch (PKCS11Exception e) { throw new ProviderException("Could not calculate PRF", e); @@ -155,8 +161,13 @@ Session session = null; try { session = token.getOpSession(); - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, null); + p11Key.incNativeKeyRef(); + try { + token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, params), p11Key.keyID, null); + } finally { + p11Key.decNativeKeyRef(); + } // ignore keyID, returned PRF bytes are in 'out' return new SecretKeySpec(out, "TlsPrf"); } catch (PKCS11Exception e) {