--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java	2018-09-18 15:58:03.478402959 +0200
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java	2018-09-18 15:58:03.303401781 +0200
@@ -147,8 +147,15 @@
             session = token.getObjSession();
             CK_ATTRIBUTE[] attributes = token.getAttributes(O_GENERATE,
                 CKO_SECRET_KEY, CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
-            long keyID = token.p11.C_DeriveKey(session.id(),
-                new CK_MECHANISM(mechanism, params), p11Key.keyID, attributes);
+            p11Key.incNativeKeyRef();
+            long keyID;
+            try {
+                keyID = token.p11.C_DeriveKey(session.id(),
+                        new CK_MECHANISM(mechanism, params),
+                        p11Key.keyID, attributes);
+            } finally {
+                p11Key.decNativeKeyRef();
+            }
             int major, minor;
             if (params.pVersion == null) {
                 major = -1;
@@ -158,7 +165,7 @@
                 minor = params.pVersion.minor;
             }
             SecretKey key = P11Key.masterSecretKey(session, keyID,
-                "TlsMasterSecret", 48 << 3, attributes, major, minor);
+                "TlsMasterSecret", 48 << 3, attributes, major, minor, true);
             return key;
         } catch (Exception e) {
             throw new ProviderException("Could not generate key", e);