--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2018-09-18 15:58:03.051400085 +0200 +++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java 2018-09-18 15:58:02.878398921 +0200 @@ -173,8 +173,15 @@ attributes = token.getAttributes (O_GENERATE, CKO_SECRET_KEY, keyType, attributes); // the returned keyID is a dummy, ignore - long keyID = token.p11.C_DeriveKey(session.id(), - new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes); + + p11Key.incNativeKeyRef(); + try { + token.p11.C_DeriveKey(session.id(), + new CK_MECHANISM(mechanism, params), + p11Key.keyID, attributes); + } finally { + p11Key.decNativeKeyRef(); + } CK_SSL3_KEY_MAT_OUT out = params.pReturnedKeyMaterial; // Note that the MAC keys do not inherit all attributes from the @@ -187,10 +194,10 @@ // PKCS11 does not support GCM mode as the author made the comment, // so the macBits is unlikely to be zero. It's only a place holder. if (macBits != 0) { - clientMacKey = P11Key.secretKey - (session, out.hClientMacSecret, "MAC", macBits, attributes); - serverMacKey = P11Key.secretKey - (session, out.hServerMacSecret, "MAC", macBits, attributes); + clientMacKey = P11Key.secretKey(session, out.hClientMacSecret, + "MAC", macBits, attributes, true); + serverMacKey = P11Key.secretKey(session, out.hServerMacSecret, + "MAC", macBits, attributes, true); } else { clientMacKey = null; serverMacKey = null; @@ -199,9 +206,9 @@ SecretKey clientCipherKey, serverCipherKey; if (keyBits != 0) { clientCipherKey = P11Key.secretKey(session, out.hClientKey, - cipherAlgorithm, expandedKeyBits, attributes); + cipherAlgorithm, expandedKeyBits, attributes, true); serverCipherKey = P11Key.secretKey(session, out.hServerKey, - cipherAlgorithm, expandedKeyBits, attributes); + cipherAlgorithm, expandedKeyBits, attributes, true); } else { clientCipherKey = null; serverCipherKey = null;