--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java	2018-09-18 15:58:02.198394344 +0200
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java	2018-09-18 15:58:01.958392729 +0200
@@ -149,11 +149,17 @@
                     Session session = null;
                     try {
                         session = token.getObjSession();
-                        long newKeyID = token.p11.C_CopyObject(session.id(),
+                        p11Key.incNativeKeyRef();
+                        long newKeyID;
+                        try {
+                            newKeyID = token.p11.C_CopyObject(session.id(),
                                 p11Key.keyID, extraAttrs);
+                        } finally {
+                            p11Key.decNativeKeyRef();
+                        }
                         p11Key = (P11Key) (P11Key.secretKey(session,
                                 newKeyID, p11Key.algorithm, p11Key.keyLength,
-                                extraAttrs));
+                                extraAttrs, true));
                     } catch (PKCS11Exception p11e) {
                         throw new InvalidKeyException
                                 ("Cannot duplicate the PKCS11 key", p11e);
@@ -264,7 +270,7 @@
             session = token.getObjSession();
             long keyID = token.p11.C_CreateObject(session.id(), attributes);
             P11Key p11Key = (P11Key)P11Key.secretKey
-                (session, keyID, algorithm, keyLength, attributes);
+                (session, keyID, algorithm, keyLength, attributes, true);
             return p11Key;
         } catch (PKCS11Exception e) {
             throw new InvalidKeyException("Could not create key", e);