--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java	2018-09-18 15:58:00.305381603 +0200
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java	2018-09-18 15:58:00.116380332 +0200
@@ -1291,7 +1291,8 @@
             }
         }
 
-        return P11Key.secretKey(session, oHandle, keyType, keyLength, null);
+        return P11Key.secretKey(session, oHandle, keyType, keyLength, null,
+                false);
     }
 
     private PrivateKey loadPkey(Session session, long oHandle)
@@ -1326,7 +1327,8 @@
                                 oHandle,
                                 keyType,
                                 keyLength,
-                                null);
+                                null,
+                                false);
 
         } else if (kType == CKK_DSA) {
 
@@ -1341,7 +1343,8 @@
                                 oHandle,
                                 keyType,
                                 keyLength,
-                                null);
+                                null,
+                                false);
 
         } else if (kType == CKK_DH) {
 
@@ -1356,7 +1359,8 @@
                                 oHandle,
                                 keyType,
                                 keyLength,
-                                null);
+                                null,
+                                false);
 
         } else if (kType == CKK_EC) {
 
@@ -1374,7 +1378,8 @@
                 throw new KeyStoreException("Unsupported parameters", e);
             }
 
-            return P11Key.privateKey(session, oHandle, "EC", keyLength, null);
+            return P11Key.privateKey(session, oHandle, "EC", keyLength, null,
+                    false);
 
         } else {
             if (debug != null) {
@@ -1500,6 +1505,7 @@
 
                 CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
                                 new CK_ATTRIBUTE(CKA_ID, alias) };
+                key.makeNativeKeyPersistent();
                 token.p11.C_SetAttributeValue
                                 (session.id(), key.keyID, attrs);
                 if (debug != null) {
@@ -1518,7 +1524,12 @@
                 if (attribute != null) {
                     attrs = addAttribute(attrs, attribute);
                 }
-                token.p11.C_CopyObject(session.id(), key.keyID, attrs);
+                key.incNativeKeyRef();
+                try {
+                    token.p11.C_CopyObject(session.id(), key.keyID, attrs);
+                } finally {
+                    key.decNativeKeyRef();
+                }
                 if (debug != null) {
                     debug.println("updateP11Pkey copied private session key " +
                                 "for [" +
@@ -1626,7 +1637,8 @@
             new CK_ATTRIBUTE(CKA_LABEL, alias),
         };
         try {
-            P11SecretKeyFactory.convertKey(token, skey, null, attrs);
+            P11Key k = P11SecretKeyFactory.convertKey(token, skey, null, attrs);
+            k.makeNativeKeyPersistent();
         } catch (InvalidKeyException ike) {
             // re-throw KeyStoreException to match javadoc
             throw new KeyStoreException("Cannot convert to PKCS11 keys", ike);
@@ -1894,10 +1906,12 @@
             return attrs;
         }
         String alg = privateKey.getAlgorithm();
-        if (id && alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) {
+        if (alg.equals("RSA") && (publicKey instanceof RSAPublicKey)) {
+            if (id) {
+                BigInteger n = ((RSAPublicKey)publicKey).getModulus();
+                attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n)));
+            }
             // CKA_NETSCAPE_DB not needed for RSA public keys
-            BigInteger n = ((RSAPublicKey)publicKey).getModulus();
-            attrs[0] = new CK_ATTRIBUTE(CKA_ID, sha1(getMagnitude(n)));
         } else if (alg.equals("DSA") && (publicKey instanceof DSAPublicKey)) {
             BigInteger y = ((DSAPublicKey)publicKey).getY();
             if (id) {