changeset 55832:f492567244ab

8080462: Update SunPKCS11 provider with PKCS11 v2.40 support Summary: Added support for GCM, PSS, and other mechanisms Reviewed-by: jnimeh
author valeriep
date Tue, 11 Jun 2019 21:30:28 +0000
parents dbf5cda9843d
children 75f47593d244
files src/java.base/share/classes/sun/security/util/GCMParameters.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_CCM_PARAMS.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_GCM_PARAMS.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java src/jdk.crypto.cryptoki/share/legal/pkcs11cryptotoken.md src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs-11v2-20a3.h src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11.h src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11f.h src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h test/jdk/sun/security/pkcs11/Cipher/Test4512704.java test/jdk/sun/security/pkcs11/Cipher/TestCICOWithGCM.java test/jdk/sun/security/pkcs11/Cipher/TestCICOWithGCMAndAAD.java test/jdk/sun/security/pkcs11/Cipher/TestGCMKeyAndIvCheck.java test/jdk/sun/security/pkcs11/Cipher/TestKATForGCM.java test/jdk/sun/security/pkcs11/MessageDigest/ByteBuffers.java test/jdk/sun/security/pkcs11/Signature/InitAgainPSS.java test/jdk/sun/security/pkcs11/Signature/KeyAndParamCheckForPSS.java test/jdk/sun/security/pkcs11/Signature/SigInteropPSS.java test/jdk/sun/security/pkcs11/Signature/SignatureTestPSS.java test/jdk/sun/security/pkcs11/Signature/TestDSA2.java
diffstat 38 files changed, 6565 insertions(+), 2823 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/share/classes/sun/security/util/GCMParameters.java	Tue Jun 11 21:30:28 2019 +0000
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.io.IOException;
+import java.security.AlgorithmParametersSpi;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
+import javax.crypto.spec.GCMParameterSpec;
+import sun.security.util.HexDumpEncoder;
+import sun.security.util.*;
+
+/**
+ * This class implements the parameter set used with
+ * GCM encryption, which is defined in RFC 5084 as follows:
+ *
+ * <pre>
+ *    GCMParameters ::= SEQUENCE {
+ *      aes-iv      OCTET STRING, -- recommended size is 12 octets
+ *      aes-tLen    AES-GCM-ICVlen DEFAULT 12 }
+ *
+ *    AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
+ *
+ * </pre>
+ *
+ * @since 13
+ */
+public final class GCMParameters extends AlgorithmParametersSpi {
+
+    // the iv
+    private byte[] iv;
+    // the tag length in bytes
+    private int tLen;
+
+    public GCMParameters() {}
+
+    protected void engineInit(AlgorithmParameterSpec paramSpec)
+        throws InvalidParameterSpecException {
+
+        if (!(paramSpec instanceof GCMParameterSpec)) {
+            throw new InvalidParameterSpecException
+                ("Inappropriate parameter specification");
+        }
+        GCMParameterSpec gps = (GCMParameterSpec) paramSpec;
+        // need to convert from bits to bytes for ASN.1 encoding
+        this.tLen = gps.getTLen()/8;
+        if (this.tLen < 12 || this.tLen > 16 ) {
+            throw new InvalidParameterSpecException
+                ("GCM parameter parsing error: unsupported tag len: " +
+                 this.tLen);
+        }
+        this.iv = gps.getIV();
+    }
+
+    protected void engineInit(byte[] encoded) throws IOException {
+        DerValue val = new DerValue(encoded);
+        // check if IV or params
+        if (val.tag == DerValue.tag_Sequence) {
+            byte[] iv = val.data.getOctetString();
+            int tLen;
+            if (val.data.available() != 0) {
+                tLen = val.data.getInteger();
+                if (tLen < 12 || tLen > 16 ) {
+                    throw new IOException
+                        ("GCM parameter parsing error: unsupported tag len: " +
+                         tLen);
+                }
+                if (val.data.available() != 0) {
+                    throw new IOException
+                        ("GCM parameter parsing error: extra data");
+                }
+            } else {
+                tLen = 12;
+            }
+            this.iv = iv.clone();
+            this.tLen = tLen;
+        } else {
+            throw new IOException("GCM parameter parsing error: no SEQ tag");
+        }
+    }
+
+    protected void engineInit(byte[] encoded, String decodingMethod)
+        throws IOException {
+        engineInit(encoded);
+    }
+
+    protected <T extends AlgorithmParameterSpec>
+            T engineGetParameterSpec(Class<T> paramSpec)
+        throws InvalidParameterSpecException {
+
+        if (GCMParameterSpec.class.isAssignableFrom(paramSpec)) {
+            return paramSpec.cast(new GCMParameterSpec(tLen * 8, iv));
+        } else {
+            throw new InvalidParameterSpecException
+                ("Inappropriate parameter specification");
+        }
+    }
+
+    protected byte[] engineGetEncoded() throws IOException {
+        DerOutputStream out = new DerOutputStream();
+        DerOutputStream bytes = new DerOutputStream();
+
+        bytes.putOctetString(iv);
+        // Only put non-default values
+        if (tLen != 12) {
+            bytes.putInteger(tLen);
+        }
+        out.write(DerValue.tag_Sequence, bytes);
+        return out.toByteArray();
+    }
+
+    protected byte[] engineGetEncoded(String encodingMethod)
+        throws IOException {
+        return engineGetEncoded();
+    }
+
+    /*
+     * Returns a formatted string describing the parameters.
+     */
+    protected String engineToString() {
+        String LINE_SEP = System.lineSeparator();
+        HexDumpEncoder encoder = new HexDumpEncoder();
+        StringBuilder sb
+            = new StringBuilder(LINE_SEP + "    iv:" + LINE_SEP + "["
+                + encoder.encodeBuffer(iv) + "]");
+
+        sb.append(LINE_SEP + "tLen(bits):" + LINE_SEP + tLen*8 + LINE_SEP);
+        return sb.toString();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java	Tue Jun 11 21:30:28 2019 +0000
@@ -0,0 +1,750 @@
+/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.pkcs11;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+import java.util.Locale;
+
+import java.security.*;
+import java.security.spec.*;
+
+import javax.crypto.*;
+import javax.crypto.spec.*;
+
+import sun.nio.ch.DirectBuffer;
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.wrapper.*;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+/**
+ * P11 AEAD Cipher implementation class. This class currently supports
+ * AES with GCM mode.
+ *
+ * Note that AEAD modes do not use padding, so this class does not have
+ * its own padding impl. In addition, NSS CKM_AES_GCM only supports single-part
+ * encryption/decryption, thus the current impl uses PKCS#11 C_Encrypt/C_Decrypt
+ * calls and buffers data until doFinal is called.
+ *
+ * Note that PKCS#11 standard currently only supports GCM and CCM AEAD modes.
+ * There are no provisions for other AEAD modes yet.
+ *
+ * @since   13
+ */
+final class P11AEADCipher extends CipherSpi {
+
+    // mode constant for GCM mode
+    private static final int MODE_GCM = 10;
+
+    // default constants for GCM
+    private static final int GCM_DEFAULT_TAG_LEN = 16;
+    private static final int GCM_DEFAULT_IV_LEN = 16;
+
+    private static final String ALGO = "AES";
+
+    // token instance
+    private final Token token;
+
+    // mechanism id
+    private final long mechanism;
+
+    // mode, one of MODE_* above
+    private final int blockMode;
+
+    // acceptable key size, -1 if more than 1 key sizes are accepted
+    private final int fixedKeySize;
+
+    // associated session, if any
+    private Session session = null;
+
+    // key, if init() was called
+    private P11Key p11Key = null;
+
+    // flag indicating whether an operation is initialized
+    private boolean initialized = false;
+
+    // falg indicating encrypt or decrypt mode
+    private boolean encrypt = true;
+
+    // parameters
+    private byte[] iv = null;
+    private int tagLen = -1;
+    private SecureRandom random = JCAUtil.getSecureRandom();
+
+    // dataBuffer is cleared upon doFinal calls
+    private ByteArrayOutputStream dataBuffer = new ByteArrayOutputStream();
+    // aadBuffer is cleared upon successful init calls
+    private ByteArrayOutputStream aadBuffer = new ByteArrayOutputStream();
+    private boolean updateCalled = false;
+
+    private boolean requireReinit = false;
+    private P11Key lastEncKey = null;
+    private byte[] lastEncIv = null;
+
+    P11AEADCipher(Token token, String algorithm, long mechanism)
+            throws PKCS11Exception, NoSuchAlgorithmException {
+        super();
+        this.token = token;
+        this.mechanism = mechanism;
+
+        String[] algoParts = algorithm.split("/");
+        if (algoParts.length != 3) {
+            throw new ProviderException("Unsupported Transformation format: " +
+                    algorithm);
+        }
+        if (!algoParts[0].startsWith("AES")) {
+            throw new ProviderException("Only support AES for AEAD cipher mode");
+        }
+        int index = algoParts[0].indexOf('_');
+        if (index != -1) {
+            // should be well-formed since we specify what we support
+            fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1)) >> 3;
+        } else {
+            fixedKeySize = -1;
+        }
+        this.blockMode = parseMode(algoParts[1]);
+        if (!algoParts[2].equals("NoPadding")) {
+            throw new ProviderException("Only NoPadding is supported for AEAD cipher mode");
+        }
+    }
+
+    protected void engineSetMode(String mode) throws NoSuchAlgorithmException {
+        // Disallow change of mode for now since currently it's explicitly
+        // defined in transformation strings
+        throw new NoSuchAlgorithmException("Unsupported mode " + mode);
+    }
+
+    private int parseMode(String mode) throws NoSuchAlgorithmException {
+        mode = mode.toUpperCase(Locale.ENGLISH);
+        int result;
+        if (mode.equals("GCM")) {
+            result = MODE_GCM;
+        } else {
+            throw new NoSuchAlgorithmException("Unsupported mode " + mode);
+        }
+        return result;
+    }
+
+    // see JCE spec
+    protected void engineSetPadding(String padding)
+            throws NoSuchPaddingException {
+        // Disallow change of padding for now since currently it's explicitly
+        // defined in transformation strings
+        throw new NoSuchPaddingException("Unsupported padding " + padding);
+    }
+
+    // see JCE spec
+    protected int engineGetBlockSize() {
+        return 16; // constant; only AES is supported
+    }
+
+    // see JCE spec
+    protected int engineGetOutputSize(int inputLen) {
+        return doFinalLength(inputLen);
+    }
+
+    // see JCE spec
+    protected byte[] engineGetIV() {
+        return (iv == null) ? null : iv.clone();
+    }
+
+    // see JCE spec
+    protected AlgorithmParameters engineGetParameters() {
+        if (encrypt && iv == null && tagLen == -1) {
+            switch (blockMode) {
+                case MODE_GCM:
+                    iv = new byte[GCM_DEFAULT_IV_LEN];
+                    tagLen = GCM_DEFAULT_TAG_LEN;
+                    break;
+                default:
+                    throw new ProviderException("Unsupported mode");
+            }
+            random.nextBytes(iv);
+        }
+        try {
+            AlgorithmParameterSpec spec;
+            String apAlgo;
+            switch (blockMode) {
+                case MODE_GCM:
+                    apAlgo = "GCM";
+                    spec = new GCMParameterSpec(tagLen << 3, iv);
+                    break;
+                default:
+                    throw new ProviderException("Unsupported mode");
+            }
+            AlgorithmParameters params =
+                AlgorithmParameters.getInstance(apAlgo);
+            params.init(spec);
+            return params;
+        } catch (GeneralSecurityException e) {
+            // NoSuchAlgorithmException, NoSuchProviderException
+            // InvalidParameterSpecException
+            throw new ProviderException("Could not encode parameters", e);
+        }
+    }
+
+    // see JCE spec
+    protected void engineInit(int opmode, Key key, SecureRandom sr)
+            throws InvalidKeyException {
+        if (opmode == Cipher.DECRYPT_MODE) {
+            throw new InvalidKeyException("Parameters required for decryption");
+        }
+        updateCalled = false;
+        try {
+            implInit(opmode, key, null, -1, sr);
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new InvalidKeyException("init() failed", e);
+        }
+    }
+
+    // see JCE spec
+    protected void engineInit(int opmode, Key key,
+            AlgorithmParameterSpec params, SecureRandom sr)
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
+        if (opmode == Cipher.DECRYPT_MODE && params == null) {
+            throw new InvalidAlgorithmParameterException
+                    ("Parameters required for decryption");
+        }
+        updateCalled = false;
+        byte[] ivValue = null;
+        int tagLen = -1;
+        if (params != null) {
+            switch (blockMode) {
+            case MODE_GCM:
+                if (!(params instanceof GCMParameterSpec)) {
+                    throw new InvalidAlgorithmParameterException
+                        ("Only GCMParameterSpec is supported");
+                }
+                ivValue = ((GCMParameterSpec) params).getIV();
+                tagLen = ((GCMParameterSpec) params).getTLen() >> 3;
+            break;
+            default:
+                throw new ProviderException("Unsupported mode");
+            }
+        }
+        implInit(opmode, key, ivValue, tagLen, sr);
+    }
+
+    // see JCE spec
+    protected void engineInit(int opmode, Key key, AlgorithmParameters params,
+            SecureRandom sr)
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
+        if (opmode == Cipher.DECRYPT_MODE && params == null) {
+            throw new InvalidAlgorithmParameterException
+                    ("Parameters required for decryption");
+        }
+        updateCalled = false;
+        try {
+            AlgorithmParameterSpec paramSpec = null;
+            if (params != null) {
+                switch (blockMode) {
+                    case MODE_GCM:
+                        paramSpec =
+                            params.getParameterSpec(GCMParameterSpec.class);
+                        break;
+                    default:
+                        throw new ProviderException("Unsupported mode");
+                }
+            }
+            engineInit(opmode, key, paramSpec, sr);
+        } catch (InvalidParameterSpecException ex) {
+            throw new InvalidAlgorithmParameterException(ex);
+        }
+    }
+
+    // actual init() implementation
+    private void implInit(int opmode, Key key, byte[] iv, int tagLen,
+        SecureRandom sr)
+        throws InvalidKeyException, InvalidAlgorithmParameterException {
+        reset(true);
+        if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) {
+            throw new InvalidKeyException("Key size is invalid");
+        }
+        P11Key newKey = P11SecretKeyFactory.convertKey(token, key, ALGO);
+        switch (opmode) {
+            case Cipher.ENCRYPT_MODE:
+                encrypt = true;
+                requireReinit = Arrays.equals(iv, lastEncIv) &&
+                        (newKey == lastEncKey);
+                if (requireReinit) {
+                    throw new InvalidAlgorithmParameterException
+                        ("Cannot reuse iv for GCM encryption");
+                }
+                break;
+            case Cipher.DECRYPT_MODE:
+                encrypt = false;
+                requireReinit = false;
+                break;
+            default:
+                throw new InvalidAlgorithmParameterException
+                        ("Unsupported mode: " + opmode);
+        }
+
+        // decryption without parameters is checked in all engineInit() calls
+        if (sr != null) {
+            this.random = sr;
+        }
+        if (iv == null && tagLen == -1) {
+            // generate default values
+            switch (blockMode) {
+                case MODE_GCM:
+                    iv = new byte[GCM_DEFAULT_IV_LEN];
+                    this.random.nextBytes(iv);
+                    tagLen = GCM_DEFAULT_TAG_LEN;
+                    break;
+                default:
+                    throw new ProviderException("Unsupported mode");
+            }
+        }
+        this.iv = iv;
+        this.tagLen = tagLen;
+        this.p11Key = newKey;
+        try {
+            initialize();
+        } catch (PKCS11Exception e) {
+            throw new InvalidKeyException("Could not initialize cipher", e);
+        }
+    }
+
+    private void cancelOperation() {
+        try {
+            if (session.hasObjects() == false) {
+                session = token.killSession(session);
+                return;
+            } else {
+                // cancel operation by finishing it
+                int bufLen = doFinalLength(0);
+                byte[] buffer = new byte[bufLen];
+
+                if (encrypt) {
+                    token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen,
+                            0, buffer, 0, bufLen);
+                } else {
+                    token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen,
+                            0, buffer, 0, bufLen);
+                }
+            }
+        } catch (PKCS11Exception e) {
+            throw new ProviderException("Cancel failed", e);
+        }
+    }
+
+    private void ensureInitialized() throws PKCS11Exception {
+        if (initialized && aadBuffer.size() > 0) {
+            // need to cancel first to avoid CKR_OPERATION_ACTIVE
+            reset(true);
+        }
+        if (!initialized) {
+            initialize();
+        }
+    }
+
+    private void initialize() throws PKCS11Exception {
+        if (p11Key == null) {
+            throw new ProviderException(
+                    "Operation cannot be performed without"
+                    + " calling engineInit first");
+        }
+        if (requireReinit) {
+            throw new IllegalStateException
+                ("Must use either different key or iv for GCM encryption");
+        }
+
+        token.ensureValid();
+
+        byte[] aad = (aadBuffer.size() > 0? aadBuffer.toByteArray() : null);
+
+        long p11KeyID = p11Key.getKeyID();
+        try {
+            if (session == null) {
+                session = token.getOpSession();
+            }
+            CK_MECHANISM mechWithParams;
+            switch (blockMode) {
+                case MODE_GCM:
+                    mechWithParams = new CK_MECHANISM(mechanism,
+                        new CK_GCM_PARAMS(tagLen << 3, iv, aad));
+                    break;
+                default:
+                    throw new ProviderException("Unsupported mode: " + blockMode);
+            }
+            if (encrypt) {
+                token.p11.C_EncryptInit(session.id(), mechWithParams,
+                    p11KeyID);
+            } else {
+                token.p11.C_DecryptInit(session.id(), mechWithParams,
+                    p11KeyID);
+            }
+        } catch (PKCS11Exception e) {
+            //e.printStackTrace();
+            p11Key.releaseKeyID();
+            session = token.releaseSession(session);
+            throw e;
+        } finally {
+            dataBuffer.reset();
+            aadBuffer.reset();
+        }
+        initialized = true;
+    }
+
+    // if doFinal(inLen) is called, how big does the output buffer have to be?
+    private int doFinalLength(int inLen) {
+        if (inLen < 0) {
+            throw new ProviderException("Invalid negative input length");
+        }
+
+        int result = inLen + dataBuffer.size();
+        if (encrypt) {
+            result += tagLen;
+        } else {
+            // PKCS11Exception: CKR_BUFFER_TOO_SMALL
+            //result -= tagLen;
+        }
+        return result;
+    }
+
+    // reset the states to the pre-initialized values
+    private void reset(boolean doCancel) {
+        if (!initialized) {
+            return;
+        }
+        try {
+            if (session == null) {
+                return;
+            }
+            if (doCancel && token.explicitCancel) {
+                cancelOperation();
+            }
+        } finally {
+            p11Key.releaseKeyID();
+            session = token.releaseSession(session);
+        }
+        initialized = false;
+    }
+
+    // see JCE spec
+    protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) {
+        updateCalled = true;
+        int n = implUpdate(in, inOfs, inLen);
+        return new byte[0];
+    }
+
+    // see JCE spec
+    protected int engineUpdate(byte[] in, int inOfs, int inLen, byte[] out,
+            int outOfs) throws ShortBufferException {
+        updateCalled = true;
+        implUpdate(in, inOfs, inLen);
+        return 0;
+    }
+
+    // see JCE spec
+    @Override
+    protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer)
+            throws ShortBufferException {
+        updateCalled = true;
+        implUpdate(inBuffer);
+        return 0;
+    }
+
+    // see JCE spec
+    @Override
+    protected synchronized void engineUpdateAAD(byte[] src, int srcOfs, int srcLen)
+            throws IllegalStateException {
+        if ((src == null) || (srcOfs < 0) || (srcOfs + srcLen > src.length)) {
+            throw new IllegalArgumentException("Invalid AAD");
+        }
+        if (requireReinit) {
+            throw new IllegalStateException
+                ("Must use either different key or iv for GCM encryption");
+        }
+        if (p11Key == null) {
+            throw new IllegalStateException("Need to initialize Cipher first");
+        }
+        if (updateCalled) {
+            throw new IllegalStateException
+                ("Update has been called; no more AAD data");
+        }
+        aadBuffer.write(src, srcOfs, srcLen);
+    }
+
+    // see JCE spec
+    @Override
+    protected void engineUpdateAAD(ByteBuffer src)
+            throws IllegalStateException {
+        if (src == null) {
+            throw new IllegalArgumentException("Invalid AAD");
+        }
+        byte[] srcBytes = new byte[src.remaining()];
+        src.get(srcBytes);
+        engineUpdateAAD(srcBytes, 0, srcBytes.length);
+    }
+
+    // see JCE spec
+    protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen)
+            throws IllegalBlockSizeException, BadPaddingException {
+        int minOutLen = doFinalLength(inLen);
+        try {
+            byte[] out = new byte[minOutLen];
+            int n = engineDoFinal(in, inOfs, inLen, out, 0);
+            return P11Util.convert(out, 0, n);
+        } catch (ShortBufferException e) {
+            // convert since the output length is calculated by doFinalLength()
+            throw new ProviderException(e);
+        } finally {
+            updateCalled = false;
+        }
+    }
+    // see JCE spec
+    protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out,
+            int outOfs) throws ShortBufferException, IllegalBlockSizeException,
+            BadPaddingException {
+        try {
+            return implDoFinal(in, inOfs, inLen, out, outOfs, out.length - outOfs);
+        } finally {
+            updateCalled = false;
+        }
+    }
+
+    // see JCE spec
+    @Override
+    protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer)
+            throws ShortBufferException, IllegalBlockSizeException,
+            BadPaddingException {
+        try {
+            return implDoFinal(inBuffer, outBuffer);
+        } finally {
+            updateCalled = false;
+        }
+    }
+
+    private int implUpdate(byte[] in, int inOfs, int inLen) {
+        if (inLen > 0) {
+            updateCalled = true;
+            try {
+                ensureInitialized();
+            } catch (PKCS11Exception e) {
+                //e.printStackTrace();
+                reset(false);
+                throw new ProviderException("update() failed", e);
+            }
+            dataBuffer.write(in, inOfs, inLen);
+        }
+        // always 0 as NSS only supports single-part encryption/decryption
+        return 0;
+    }
+
+    private int implUpdate(ByteBuffer inBuf) {
+        int inLen = inBuf.remaining();
+        if (inLen > 0) {
+            try {
+                ensureInitialized();
+            } catch (PKCS11Exception e) {
+                reset(false);
+                throw new ProviderException("update() failed", e);
+            }
+            byte[] data = new byte[inLen];
+            inBuf.get(data);
+            dataBuffer.write(data, 0, data.length);
+        }
+        // always 0 as NSS only supports single-part encryption/decryption
+        return 0;
+    }
+
+    private int implDoFinal(byte[] in, int inOfs, int inLen,
+            byte[] out, int outOfs, int outLen)
+            throws ShortBufferException, IllegalBlockSizeException,
+            BadPaddingException {
+        int requiredOutLen = doFinalLength(inLen);
+        if (outLen < requiredOutLen) {
+            throw new ShortBufferException();
+        }
+        boolean doCancel = true;
+        try {
+            ensureInitialized();
+            if (dataBuffer.size() > 0) {
+                if (in != null && inOfs > 0 && inLen > 0 &&
+                    inOfs < (in.length - inLen)) {
+                    dataBuffer.write(in, inOfs, inLen);
+                }
+                in = dataBuffer.toByteArray();
+                inOfs = 0;
+                inLen = in.length;
+            }
+            int k = 0;
+            if (encrypt) {
+                k = token.p11.C_Encrypt(session.id(), 0, in, inOfs, inLen,
+                        0, out, outOfs, outLen);
+                doCancel = false;
+            } else {
+                // Special handling to match SunJCE provider behavior
+                if (inLen == 0) {
+                    return 0;
+                }
+                k = token.p11.C_Decrypt(session.id(), 0, in, inOfs, inLen,
+                        0, out, outOfs, outLen);
+                doCancel = false;
+            }
+            return k;
+        } catch (PKCS11Exception e) {
+            doCancel = false;
+            handleException(e);
+            throw new ProviderException("doFinal() failed", e);
+        } finally {
+            if (encrypt) {
+                lastEncKey = this.p11Key;
+                lastEncIv = this.iv;
+                requireReinit = true;
+            }
+            reset(doCancel);
+        }
+    }
+
+    private int implDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer)
+            throws ShortBufferException, IllegalBlockSizeException,
+            BadPaddingException {
+        int outLen = outBuffer.remaining();
+        int inLen = inBuffer.remaining();
+
+        int requiredOutLen = doFinalLength(inLen);
+        if (outLen < requiredOutLen) {
+            throw new ShortBufferException();
+        }
+
+        boolean doCancel = true;
+        try {
+            ensureInitialized();
+
+            long inAddr = 0;
+            byte[] in = null;
+            int inOfs = 0;
+            if (dataBuffer.size() > 0) {
+                if (inLen > 0) {
+                    byte[] temp = new byte[inLen];
+                    inBuffer.get(temp);
+                    dataBuffer.write(temp, 0, temp.length);
+                }
+                in = dataBuffer.toByteArray();
+                inOfs = 0;
+                inLen = in.length;
+            } else {
+                if (inBuffer instanceof DirectBuffer) {
+                    inAddr = ((DirectBuffer) inBuffer).address();
+                    inOfs = inBuffer.position();
+                } else {
+                    if (inBuffer.hasArray()) {
+                        in = inBuffer.array();
+                        inOfs = inBuffer.position() + inBuffer.arrayOffset();
+                    } else {
+                        in = new byte[inLen];
+                        inBuffer.get(in);
+                    }
+                }
+            }
+            long outAddr = 0;
+            byte[] outArray = null;
+            int outOfs = 0;
+            if (outBuffer instanceof DirectBuffer) {
+                outAddr = ((DirectBuffer) outBuffer).address();
+                outOfs = outBuffer.position();
+            } else {
+                if (outBuffer.hasArray()) {
+                    outArray = outBuffer.array();
+                    outOfs = outBuffer.position() + outBuffer.arrayOffset();
+                } else {
+                    outArray = new byte[outLen];
+                }
+            }
+
+            int k = 0;
+            if (encrypt) {
+                k = token.p11.C_Encrypt(session.id(), inAddr, in, inOfs, inLen,
+                        outAddr, outArray, outOfs, outLen);
+                doCancel = false;
+            } else {
+                // Special handling to match SunJCE provider behavior
+                if (inLen == 0) {
+                    return 0;
+                }
+                k = token.p11.C_Decrypt(session.id(), inAddr, in, inOfs, inLen,
+                        outAddr, outArray, outOfs, outLen);
+                doCancel = false;
+            }
+            outBuffer.position(outBuffer.position() + k);
+            return k;
+        } catch (PKCS11Exception e) {
+            doCancel = false;
+            handleException(e);
+            throw new ProviderException("doFinal() failed", e);
+        } finally {
+            if (encrypt) {
+                lastEncKey = this.p11Key;
+                lastEncIv = this.iv;
+                requireReinit = true;
+            }
+            reset(doCancel);
+        }
+    }
+
+    private void handleException(PKCS11Exception e)
+            throws ShortBufferException, IllegalBlockSizeException,
+            BadPaddingException {
+        long errorCode = e.getErrorCode();
+        if (errorCode == CKR_BUFFER_TOO_SMALL) {
+            throw (ShortBufferException)
+                    (new ShortBufferException().initCause(e));
+        } else if (errorCode == CKR_DATA_LEN_RANGE ||
+                   errorCode == CKR_ENCRYPTED_DATA_LEN_RANGE) {
+            throw (IllegalBlockSizeException)
+                    (new IllegalBlockSizeException(e.toString()).initCause(e));
+        } else if (errorCode == CKR_ENCRYPTED_DATA_INVALID) {
+            throw (BadPaddingException)
+                    (new BadPaddingException(e.toString()).initCause(e));
+        }
+    }
+
+    // see JCE spec
+    protected byte[] engineWrap(Key key) throws IllegalBlockSizeException,
+            InvalidKeyException {
+        // XXX key wrapping
+        throw new UnsupportedOperationException("engineWrap()");
+    }
+
+    // see JCE spec
+    protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm,
+            int wrappedKeyType)
+            throws InvalidKeyException, NoSuchAlgorithmException {
+        // XXX key unwrapping
+        throw new UnsupportedOperationException("engineUnwrap()");
+    }
+
+    // see JCE spec
+    @Override
+    protected int engineGetKeySize(Key key) throws InvalidKeyException {
+        int n = P11SecretKeyFactory.convertKey
+                (token, key, ALGO).length();
+        return n;
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java	Tue Jun 11 21:30:28 2019 +0000
@@ -0,0 +1,701 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import sun.nio.ch.DirectBuffer;
+
+import java.util.Hashtable;
+import java.util.Arrays;
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import java.security.interfaces.*;
+import sun.security.pkcs11.wrapper.*;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
+
+/**
+ * RSASSA-PSS Signature implementation class. This class currently supports the
+ * following algorithms:
+ *
+ * . RSA-PSS:
+ *   . RSASSA-PSS
+ *   . SHA1withRSASSA-PSS
+ *   . SHA224withRSASSA-PSS
+ *   . SHA256withRSASSA-PSS
+ *   . SHA384withRSASSA-PSS
+ *   . SHA512withRSASSA-PSS
+ *
+ * Note that the underlying PKCS#11 token may support complete signature
+ * algorithm (e.g. CKM_<md>_RSA_PKCS_PSS), or it may just
+ * implement the signature algorithm without hashing (i.e. CKM_RSA_PKCS_PSS).
+ * This class uses what is available and adds whatever extra processing
+ * is needed.
+ *
+ * @since   13
+ */
+final class P11PSSSignature extends SignatureSpi {
+
+    private final static boolean DEBUG = false;
+
+    // mappings of digest algorithms and their output length in bytes
+    private static final Hashtable<String, Integer> DIGEST_LENGTHS =
+        new Hashtable<String, Integer>();
+
+    static {
+        DIGEST_LENGTHS.put("SHA-1", 20);
+        DIGEST_LENGTHS.put("SHA", 20);
+        DIGEST_LENGTHS.put("SHA1", 20);
+        DIGEST_LENGTHS.put("SHA-224", 28);
+        DIGEST_LENGTHS.put("SHA224", 28);
+        DIGEST_LENGTHS.put("SHA-256", 32);
+        DIGEST_LENGTHS.put("SHA256", 32);
+        DIGEST_LENGTHS.put("SHA-384", 48);
+        DIGEST_LENGTHS.put("SHA384", 48);
+        DIGEST_LENGTHS.put("SHA-512", 64);
+        DIGEST_LENGTHS.put("SHA512", 64);
+        DIGEST_LENGTHS.put("SHA-512/224", 28);
+        DIGEST_LENGTHS.put("SHA512/224", 28);
+        DIGEST_LENGTHS.put("SHA-512/256", 32);
+        DIGEST_LENGTHS.put("SHA512/256", 32);
+    }
+
+    // utility method for comparing digest algorithms
+    // NOTE that first argument is assumed to be standard digest name
+    private static boolean isDigestEqual(String stdAlg, String givenAlg) {
+        if (stdAlg == null || givenAlg == null) return false;
+
+        if (givenAlg.indexOf("-") != -1) {
+            return stdAlg.equalsIgnoreCase(givenAlg);
+        } else {
+            if (stdAlg.equals("SHA-1")) {
+                return (givenAlg.equalsIgnoreCase("SHA")
+                        || givenAlg.equalsIgnoreCase("SHA1"));
+            } else {
+                StringBuilder sb = new StringBuilder(givenAlg);
+                // case-insensitive check
+                if (givenAlg.regionMatches(true, 0, "SHA", 0, 3)) {
+                    givenAlg = sb.insert(3, "-").toString();
+                    return stdAlg.equalsIgnoreCase(givenAlg);
+                } else {
+                    throw new ProviderException("Unsupported digest algorithm "
+                            + givenAlg);
+                }
+            }
+        }
+    }
+
+    // token instance
+    private final Token token;
+
+    // algorithm name
+    private final String algorithm;
+
+    // name of the key algorithm, currently just RSA
+    private static final String KEY_ALGO = "RSA";
+
+    // mechanism id
+    private final CK_MECHANISM mechanism;
+
+    // type, one of T_* below
+    private final int type;
+
+    // key instance used, if init*() was called
+    private P11Key p11Key = null;
+
+    // PSS parameters and the flag controlling its access
+    private PSSParameterSpec sigParams = null;
+    private boolean isActive = false;
+
+    // message digest alg, if implied by the algorithm name
+    private final String mdAlg;
+
+    // message digest, if we do the digesting ourselves
+    private MessageDigest md = null;
+
+    // associated session, if any
+    private Session session;
+
+    // mode, one of M_* below
+    private int mode;
+
+    // flag indicating whether an operation is initialized
+    private boolean initialized = false;
+
+    // buffer, for update(byte)
+    private final byte[] buffer = new byte[1];
+
+    // total number of bytes processed in current operation
+    private int bytesProcessed = 0;
+
+    // constant for signing mode
+    private final static int M_SIGN   = 1;
+    // constant for verification mode
+    private final static int M_VERIFY = 2;
+
+    // constant for type digesting, we do the hashing ourselves
+    private final static int T_DIGEST = 1;
+    // constant for type update, token does everything
+    private final static int T_UPDATE = 2;
+
+    P11PSSSignature(Token token, String algorithm, long mechId)
+            throws NoSuchAlgorithmException, PKCS11Exception {
+        super();
+        this.token = token;
+        this.algorithm = algorithm;
+        this.mechanism = new CK_MECHANISM(mechId);
+        int idx = algorithm.indexOf("with");
+        this.mdAlg = (idx == -1? null : algorithm.substring(0, idx));
+        switch ((int)mechId) {
+        case (int)CKM_SHA1_RSA_PKCS_PSS:
+        case (int)CKM_SHA224_RSA_PKCS_PSS:
+        case (int)CKM_SHA256_RSA_PKCS_PSS:
+        case (int)CKM_SHA384_RSA_PKCS_PSS:
+        case (int)CKM_SHA512_RSA_PKCS_PSS:
+            type = T_UPDATE;
+            break;
+        case (int)CKM_RSA_PKCS_PSS:
+            type = T_DIGEST;
+            break;
+        default:
+            throw new ProviderException("Unsupported mechanism: " + mechId);
+        }
+        this.md = null;
+    }
+
+    private void ensureInitialized() throws SignatureException {
+        token.ensureValid();
+        if (this.p11Key == null) {
+            throw new SignatureException("Missing key");
+        }
+        if (this.sigParams == null) {
+            if (this.mdAlg == null) {
+                // PSS Parameters are required for signature verification
+                throw new SignatureException
+                    ("Parameters required for RSASSA-PSS signature");
+            } else {
+                int saltLen = DIGEST_LENGTHS.get(this.mdAlg).intValue();
+                // generate default params for both sign and verify?
+                this.sigParams = new PSSParameterSpec(this.mdAlg,
+                        "MGF1", new MGF1ParameterSpec(this.mdAlg),
+                        saltLen, PSSParameterSpec.TRAILER_FIELD_BC);
+                this.mechanism.setParameter(new CK_RSA_PKCS_PSS_PARAMS(
+                        this.mdAlg, "MGF1", this.mdAlg,
+                        DIGEST_LENGTHS.get(this.mdAlg).intValue()));
+            }
+        }
+
+        if (initialized == false) {
+            initialize();
+        }
+    }
+
+    // reset the states to the pre-initialized values
+    private void reset(boolean doCancel) {
+        if (!initialized) {
+            return;
+        }
+        initialized = false;
+        try {
+            if (session == null) {
+                return;
+            }
+            if (doCancel && token.explicitCancel) {
+                cancelOperation();
+            }
+        } finally {
+            p11Key.releaseKeyID();
+            mechanism.freeHandle();
+            session = token.releaseSession(session);
+            isActive = false;
+        }
+    }
+
+    private void cancelOperation() {
+        token.ensureValid();
+        if (DEBUG) System.out.print("Cancelling operation");
+
+        if (session.hasObjects() == false) {
+            if (DEBUG) System.out.println(" by killing session");
+            session = token.killSession(session);
+            return;
+        }
+        // "cancel" operation by finishing it
+        if (mode == M_SIGN) {
+            try {
+                if (type == T_UPDATE) {
+                    if (DEBUG) System.out.println(" by C_SignFinal");
+                    token.p11.C_SignFinal(session.id(), 0);
+                } else {
+                    byte[] digest =
+                        (md == null? new byte[0] : md.digest());
+                    if (DEBUG) System.out.println(" by C_Sign");
+                    token.p11.C_Sign(session.id(), digest);
+                }
+            } catch (PKCS11Exception e) {
+                throw new ProviderException("cancel failed", e);
+            }
+        } else { // M_VERIFY
+            try {
+                byte[] signature =
+                    new byte[(p11Key.length() + 7) >> 3];
+                if (type == T_UPDATE) {
+                    if (DEBUG) System.out.println(" by C_VerifyFinal");
+                    token.p11.C_VerifyFinal(session.id(), signature);
+                } else {
+                    byte[] digest =
+                        (md == null? new byte[0] : md.digest());
+                    if (DEBUG) System.out.println(" by C_Verify");
+                    token.p11.C_Verify(session.id(), digest, signature);
+                }
+            } catch (PKCS11Exception e) {
+                // will fail since the signature is incorrect
+                // XXX check error code
+            }
+        }
+    }
+
+    // assumes current state is initialized == false
+    private void initialize() {
+        if (DEBUG) System.out.println("Initializing");
+
+        if (p11Key == null) {
+            throw new ProviderException(
+                    "No Key found, call initSign/initVerify first");
+        }
+
+        long keyID = p11Key.getKeyID();
+        try {
+            if (session == null) {
+                session = token.getOpSession();
+            }
+            if (mode == M_SIGN) {
+                token.p11.C_SignInit(session.id(), mechanism, keyID);
+            } else {
+                token.p11.C_VerifyInit(session.id(), mechanism, keyID);
+            }
+        } catch (PKCS11Exception e) {
+            p11Key.releaseKeyID();
+            session = token.releaseSession(session);
+            throw new ProviderException("Initialization failed", e);
+        }
+        if (bytesProcessed != 0) {
+            bytesProcessed = 0;
+            if (md != null) {
+                md.reset();
+            }
+        }
+        initialized = true;
+        isActive = false;
+        if (DEBUG) System.out.println("Initialized");
+    }
+
+    private void checkKeySize(Key key) throws InvalidKeyException {
+        if (DEBUG) System.out.print("Checking Key");
+
+        if (!key.getAlgorithm().equals(KEY_ALGO)) {
+            throw new InvalidKeyException("Only " + KEY_ALGO +
+                " keys are supported");
+        }
+
+        CK_MECHANISM_INFO mechInfo = null;
+        try {
+            mechInfo = token.getMechanismInfo(mechanism.mechanism);
+        } catch (PKCS11Exception e) {
+            // should not happen, ignore for now
+            if (DEBUG) {
+                System.out.println("Unexpected exception");
+                e.printStackTrace();
+            }
+        }
+
+        int keySize = 0; // in bytes
+        if (mechInfo != null) {
+            // check against available native info
+            int minKeySize = (int) mechInfo.ulMinKeySize;
+            int maxKeySize = (int) mechInfo.ulMaxKeySize;
+            if (key instanceof P11Key) {
+                keySize = (((P11Key) key).length() + 7) >> 3;
+            } else if (key instanceof RSAKey) {
+                keySize = ((RSAKey) key).getModulus().bitLength() >> 3;
+            } else {
+                throw new InvalidKeyException("Unrecognized key type " + key);
+            }
+            if ((minKeySize != -1) && (keySize < minKeySize)) {
+                throw new InvalidKeyException(KEY_ALGO +
+                    " key must be at least " + minKeySize + " bytes");
+            }
+            if ((maxKeySize != -1) && (keySize > maxKeySize)) {
+                throw new InvalidKeyException(KEY_ALGO +
+                    " key must be at most " + maxKeySize + " bytes");
+            }
+        }
+        if (this.sigParams != null) {
+            String digestAlg = this.sigParams.getDigestAlgorithm();
+            int sLen = this.sigParams.getSaltLength();
+            int hLen = DIGEST_LENGTHS.get(digestAlg).intValue();
+            int minKeyLen = Math.addExact(Math.addExact(sLen, hLen), 2);
+
+            if (keySize < minKeyLen) {
+                throw new InvalidKeyException
+                    ("Key is too short for current params, need min " + minKeyLen);
+            }
+        }
+    }
+
+    private void setSigParams(AlgorithmParameterSpec p)
+            throws InvalidAlgorithmParameterException {
+        if (p == null) {
+            throw new InvalidAlgorithmParameterException("PSS Parameter required");
+        }
+        if (!(p instanceof PSSParameterSpec)) {
+            throw new InvalidAlgorithmParameterException
+                ("Only PSSParameterSpec is supported");
+        }
+        // no need to validate again if same as current signature parameters
+        PSSParameterSpec params = (PSSParameterSpec) p;
+        if (params == this.sigParams) return;
+
+        String digestAlgorithm = params.getDigestAlgorithm();
+        if (this.mdAlg != null && !isDigestEqual(digestAlgorithm, this.mdAlg)) {
+            throw new InvalidAlgorithmParameterException
+                    ("Digest algorithm in Signature parameters must be " +
+                     this.mdAlg);
+        }
+        Integer digestLen = DIGEST_LENGTHS.get(digestAlgorithm);
+        if (digestLen == null) {
+            throw new InvalidAlgorithmParameterException
+                ("Unsupported digest algorithm in Signature parameters: " +
+                 digestAlgorithm);
+        }
+        if (!(params.getMGFAlgorithm().equalsIgnoreCase("MGF1"))) {
+            throw new InvalidAlgorithmParameterException("Only supports MGF1");
+        }
+        if (params.getTrailerField() != PSSParameterSpec.TRAILER_FIELD_BC) {
+            throw new InvalidAlgorithmParameterException
+                ("Only supports TrailerFieldBC(1)");
+        }
+        int saltLen = params.getSaltLength();
+        if (this.p11Key != null) {
+            int maxSaltLen = ((this.p11Key.length() + 7) >> 3) - digestLen.intValue() - 2;
+
+            if (DEBUG) {
+                System.out.println("Max saltLen = " + maxSaltLen);
+                System.out.println("Curr saltLen = " + saltLen);
+            }
+            if (maxSaltLen < 0 || saltLen > maxSaltLen) {
+                throw new InvalidAlgorithmParameterException("Invalid with current key size");
+            }
+        } else {
+            if (DEBUG) System.out.println("No key available for validating saltLen");
+        }
+
+        // validated, now try to store the parameter internally
+        try {
+            this.mechanism.setParameter(
+                    new CK_RSA_PKCS_PSS_PARAMS(digestAlgorithm, "MGF1",
+                        digestAlgorithm, saltLen));
+            this.sigParams = params;
+        } catch (IllegalArgumentException iae) {
+            throw new InvalidAlgorithmParameterException(iae);
+        }
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineInitVerify(PublicKey publicKey)
+            throws InvalidKeyException {
+
+        if (publicKey == null) {
+            throw new InvalidKeyException("Key must not be null");
+        }
+
+        // Need to check key length whenever a new key is set
+        if (publicKey != p11Key) {
+            checkKeySize(publicKey);
+        }
+
+        reset(true);
+        mode = M_VERIFY;
+        p11Key = P11KeyFactory.convertKey(token, publicKey, KEY_ALGO);
+
+        // For PSS, defer PKCS11 initialization calls to update/doFinal as it
+        // needs both key and params
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineInitSign(PrivateKey privateKey)
+            throws InvalidKeyException {
+
+        if (privateKey == null) {
+            throw new InvalidKeyException("Key must not be null");
+        }
+
+        // Need to check RSA key length whenever a new key is set
+        if (privateKey != p11Key) {
+            checkKeySize(privateKey);
+        }
+
+        reset(true);
+        mode = M_SIGN;
+        p11Key = P11KeyFactory.convertKey(token, privateKey, KEY_ALGO);
+
+        // For PSS, defer PKCS11 initialization calls to update/doFinal as it
+        // needs both key and params
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineUpdate(byte b) throws SignatureException {
+        ensureInitialized();
+        isActive = true;
+        buffer[0] = b;
+        engineUpdate(buffer, 0, 1);
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineUpdate(byte[] b, int ofs, int len)
+            throws SignatureException {
+        ensureInitialized();
+        if (len == 0) {
+            return;
+        }
+        // check for overflow
+        if (len + bytesProcessed < 0) {
+            throw new ProviderException("Processed bytes limits exceeded.");
+        }
+        isActive = true;
+        switch (type) {
+        case T_UPDATE:
+            try {
+                if (mode == M_SIGN) {
+                    System.out.println(this + ": Calling C_SignUpdate");
+                    token.p11.C_SignUpdate(session.id(), 0, b, ofs, len);
+                } else {
+                    System.out.println(this + ": Calling C_VerfifyUpdate");
+                    token.p11.C_VerifyUpdate(session.id(), 0, b, ofs, len);
+                }
+                bytesProcessed += len;
+            } catch (PKCS11Exception e) {
+                reset(false);
+                throw new ProviderException(e);
+            }
+            break;
+        case T_DIGEST:
+            // should not happen as this should be covered by earlier checks
+            if (md == null) {
+                throw new ProviderException("PSS Parameters required");
+            }
+            md.update(b, ofs, len);
+            bytesProcessed += len;
+            break;
+        default:
+            throw new ProviderException("Internal error");
+        }
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineUpdate(ByteBuffer byteBuffer) {
+        try {
+            ensureInitialized();
+        } catch (SignatureException se) {
+            throw new ProviderException(se);
+        }
+        int len = byteBuffer.remaining();
+        if (len <= 0) {
+            return;
+        }
+        isActive = true;
+        switch (type) {
+        case T_UPDATE:
+            if (byteBuffer instanceof DirectBuffer == false) {
+                // cannot do better than default impl
+                super.engineUpdate(byteBuffer);
+                return;
+            }
+            long addr = ((DirectBuffer)byteBuffer).address();
+            int ofs = byteBuffer.position();
+            try {
+                if (mode == M_SIGN) {
+                    System.out.println(this + ": Calling C_SignUpdate");
+                    token.p11.C_SignUpdate
+                        (session.id(), addr + ofs, null, 0, len);
+                } else {
+                    System.out.println(this + ": Calling C_VerifyUpdate");
+                    token.p11.C_VerifyUpdate
+                        (session.id(), addr + ofs, null, 0, len);
+                }
+                bytesProcessed += len;
+                byteBuffer.position(ofs + len);
+            } catch (PKCS11Exception e) {
+                reset(false);
+                throw new ProviderException("Update failed", e);
+            }
+            break;
+        case T_DIGEST:
+            // should not happen as this should be covered by earlier checks
+            if (md == null) {
+                throw new ProviderException("PSS Parameters required");
+            }
+            md.update(byteBuffer);
+            bytesProcessed += len;
+            break;
+        default:
+            reset(false);
+            throw new ProviderException("Internal error");
+        }
+    }
+
+    // see JCA spec
+    @Override
+    protected byte[] engineSign() throws SignatureException {
+        ensureInitialized();
+        boolean doCancel = true;
+        if (DEBUG) System.out.print("Generating signature");
+        try {
+            byte[] signature;
+            if (type == T_UPDATE) {
+                if (DEBUG) System.out.println(" by C_SignFinal");
+                signature = token.p11.C_SignFinal(session.id(), 0);
+            } else {
+                if (md == null) {
+                    throw new ProviderException("PSS Parameters required");
+                }
+                byte[] digest = md.digest();
+                if (DEBUG) System.out.println(" by C_Sign");
+                signature = token.p11.C_Sign(session.id(), digest);
+            }
+            doCancel = false;
+            return signature;
+        } catch (PKCS11Exception pe) {
+            doCancel = false;
+            throw new ProviderException(pe);
+        } catch (ProviderException e) {
+            throw e;
+        } finally {
+            reset(doCancel);
+        }
+    }
+
+    // see JCA spec
+    @Override
+    protected boolean engineVerify(byte[] signature) throws SignatureException {
+        ensureInitialized();
+        boolean doCancel = true;
+        if (DEBUG) System.out.print("Verifying signature");
+        try {
+            if (type == T_UPDATE) {
+                if (DEBUG) System.out.println(" by C_VerifyFinal");
+                token.p11.C_VerifyFinal(session.id(), signature);
+            } else {
+                if (md == null) {
+                    throw new ProviderException("PSS Parameters required");
+                }
+                byte[] digest = md.digest();
+                if (DEBUG) System.out.println(" by C_Verify");
+                token.p11.C_Verify(session.id(), digest, signature);
+            }
+            doCancel = false;
+            return true;
+        } catch (PKCS11Exception pe) {
+            doCancel = false;
+            long errorCode = pe.getErrorCode();
+            if (errorCode == CKR_SIGNATURE_INVALID) {
+                return false;
+            }
+            if (errorCode == CKR_SIGNATURE_LEN_RANGE) {
+                // return false rather than throwing an exception
+                return false;
+            }
+            // ECF bug?
+            if (errorCode == CKR_DATA_LEN_RANGE) {
+                return false;
+            }
+            throw new ProviderException(pe);
+        }  catch (ProviderException e) {
+            throw e;
+        } finally {
+            reset(doCancel);
+        }
+    }
+
+    // see JCA spec
+    @SuppressWarnings("deprecation")
+    @Override
+    protected void engineSetParameter(String param, Object value)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("setParameter() not supported");
+    }
+
+    // see JCA spec
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        // disallow changing parameters when update has been called
+        if (isActive) {
+            throw new ProviderException
+                ("Cannot set parameters during operations");
+        }
+        setSigParams(params);
+        if (type == T_DIGEST) {
+            try {
+                this.md = MessageDigest.getInstance(sigParams.getDigestAlgorithm());
+            } catch (NoSuchAlgorithmException nsae) {
+                throw new InvalidAlgorithmParameterException(nsae);
+            }
+        }
+    }
+
+    // see JCA spec
+    @SuppressWarnings("deprecation")
+    @Override
+    protected Object engineGetParameter(String param)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("getParameter() not supported");
+    }
+
+    // see JCA spec
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        if (this.sigParams != null) {
+            try {
+                AlgorithmParameters ap = AlgorithmParameters.getInstance("RSASSA-PSS");
+                ap.init(this.sigParams);
+                return ap;
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException(e);
+            }
+        }
+        return null;
+    }
+}
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java	Tue Jun 11 21:30:28 2019 +0000
@@ -275,10 +275,10 @@
                 long sessId = session.id();
                 switch (mode) {
                 case MODE_ENCRYPT:
-                    p11.C_Encrypt(sessId, buffer, 0, inLen, buffer, 0, outLen);
+                    p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
                     break;
                 case MODE_DECRYPT:
-                    p11.C_Decrypt(sessId, buffer, 0, inLen, buffer, 0, outLen);
+                    p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen);
                     break;
                 case MODE_SIGN:
                     byte[] tmpBuffer = new byte[maxInputSize];
@@ -372,11 +372,11 @@
             switch (mode) {
             case MODE_ENCRYPT:
                 n = p11.C_Encrypt
-                        (session.id(), buffer, 0, bufOfs, out, outOfs, outLen);
+                        (session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
                 break;
             case MODE_DECRYPT:
                 n = p11.C_Decrypt
-                        (session.id(), buffer, 0, bufOfs, out, outOfs, outLen);
+                        (session.id(), 0, buffer, 0, bufOfs, 0, out, outOfs, outLen);
                 break;
             case MODE_SIGN:
                 byte[] tmpBuffer = new byte[bufOfs];
@@ -552,6 +552,7 @@
                     s = token.getObjSession();
                     long p11KeyType =
                         P11SecretKeyFactory.getPKCS11KeyType(algorithm);
+
                     CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
                             new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
                             new CK_ATTRIBUTE(CKA_KEY_TYPE, p11KeyType),
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -516,7 +516,9 @@
         String P11SecretKeyFactory = "sun.security.pkcs11.P11SecretKeyFactory";
         String P11Cipher           = "sun.security.pkcs11.P11Cipher";
         String P11RSACipher        = "sun.security.pkcs11.P11RSACipher";
+        String P11AEADCipher       = "sun.security.pkcs11.P11AEADCipher";
         String P11Signature        = "sun.security.pkcs11.P11Signature";
+        String P11PSSSignature     = "sun.security.pkcs11.P11PSSSignature";
 
         // XXX register all aliases
 
@@ -540,6 +542,12 @@
         d(MD, "SHA-512",        P11Digest,
                 s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"),
                 m(CKM_SHA512));
+        d(MD, "SHA-512/224",        P11Digest,
+                s("2.16.840.1.101.3.4.2.5", "OID.2.16.840.1.101.3.4.2.5"),
+                m(CKM_SHA512_224));
+        d(MD, "SHA-512/256",        P11Digest,
+                s("2.16.840.1.101.3.4.2.6", "OID.2.16.840.1.101.3.4.2.6"),
+                m(CKM_SHA512_256));
 
         d(MAC, "HmacMD5",       P11MAC,
                 m(CKM_MD5_HMAC));
@@ -558,13 +566,22 @@
         d(MAC, "HmacSHA512",    P11MAC,
                 s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"),
                 m(CKM_SHA512_HMAC));
+        d(MAC, "HmacSHA512/224",    P11MAC,
+                s("1.2.840.113549.2.12", "OID.1.2.840.113549.2.12"),
+                m(CKM_SHA512_224_HMAC));
+        d(MAC, "HmacSHA512/256",    P11MAC,
+                s("1.2.840.113549.2.13", "OID.1.2.840.113549.2.13"),
+                m(CKM_SHA512_256_HMAC));
+
         d(MAC, "SslMacMD5",     P11MAC,
                 m(CKM_SSL3_MD5_MAC));
         d(MAC, "SslMacSHA1",    P11MAC,
                 m(CKM_SSL3_SHA1_MAC));
 
         d(KPG, "RSA",           P11KeyPairGenerator,
+                s("1.2.840.113549.1.1", "OID.1.2.840.113549.1.1"),
                 m(CKM_RSA_PKCS_KEY_PAIR_GEN));
+
         d(KPG, "DSA",           P11KeyPairGenerator,
                 s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
                 m(CKM_DSA_KEY_PAIR_GEN));
@@ -587,6 +604,7 @@
         // register (Secret)KeyFactories if there are any mechanisms
         // for a particular algorithm that we support
         d(KF, "RSA",            P11RSAKeyFactory,
+                s("1.2.840.113549.1.1", "OID.1.2.840.113549.1.1"),
                 m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509));
         d(KF, "DSA",            P11DSAKeyFactory,
                 s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"),
@@ -600,10 +618,14 @@
         // AlgorithmParameters for EC.
         // Only needed until we have an EC implementation in the SUN provider.
         d(AGP, "EC",            "sun.security.util.ECParameters",
-                                                s("1.2.840.10045.2.1"),
+                s("1.2.840.10045.2.1"),
                 m(CKM_EC_KEY_PAIR_GEN, CKM_ECDH1_DERIVE,
                     CKM_ECDSA, CKM_ECDSA_SHA1));
 
+
+        d(AGP, "GCM",            "sun.security.util.GCMParameters",
+                m(CKM_AES_GCM));
+
         d(KA, "DH",             P11KeyAgreement,        s("DiffieHellman"),
                 m(CKM_DH_PKCS_DERIVE));
         d(KA, "ECDH",           "sun.security.pkcs11.P11ECDHKeyAgreement",
@@ -669,12 +691,24 @@
                 m(CKM_AES_ECB));
         d(CIP, "AES/CTR/NoPadding",             P11Cipher,
                 m(CKM_AES_CTR));
+
+        d(CIP, "AES/GCM/NoPadding",             P11AEADCipher,
+                m(CKM_AES_GCM));
+        d(CIP, "AES_128/GCM/NoPadding",          P11AEADCipher,
+                s("2.16.840.1.101.3.4.1.6", "OID.2.16.840.1.101.3.4.1.6"),
+                m(CKM_AES_GCM));
+        d(CIP, "AES_192/GCM/NoPadding",          P11AEADCipher,
+                s("2.16.840.1.101.3.4.1.26", "OID.2.16.840.1.101.3.4.1.26"),
+                m(CKM_AES_GCM));
+        d(CIP, "AES_256/GCM/NoPadding",          P11AEADCipher,
+                s("2.16.840.1.101.3.4.1.46", "OID.2.16.840.1.101.3.4.1.46"),
+                m(CKM_AES_GCM));
+
         d(CIP, "Blowfish/CBC/NoPadding",        P11Cipher,
                 m(CKM_BLOWFISH_CBC));
         d(CIP, "Blowfish/CBC/PKCS5Padding",     P11Cipher,
                 m(CKM_BLOWFISH_CBC));
 
-        // XXX RSA_X_509, RSA_OAEP not yet supported
         d(CIP, "RSA/ECB/PKCS1Padding",          P11RSACipher,   s("RSA"),
                 m(CKM_RSA_PKCS));
         d(CIP, "RSA/ECB/NoPadding",             P11RSACipher,
@@ -686,12 +720,25 @@
                 s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27",
                   "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"),
                 m(CKM_DSA_SHA1, CKM_DSA));
+        d(SIG, "SHA224withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.1", "OID.2.16.840.1.101.3.4.3.1"),
+                m(CKM_DSA_SHA224));
+        d(SIG, "SHA256withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.2", "OID.2.16.840.1.101.3.4.3.2"),
+                m(CKM_DSA_SHA256));
+        d(SIG, "SHA384withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.3", "OID.2.16.840.1.101.3.4.3.3"),
+                m(CKM_DSA_SHA384));
+        d(SIG, "SHA512withDSA", P11Signature,
+                s("2.16.840.1.101.3.4.3.4", "OID.2.16.840.1.101.3.4.3.4"),
+                m(CKM_DSA_SHA512));
         d(SIG, "RawDSAinP1363Format",   P11Signature,
                 s("NONEwithDSAinP1363Format"),
                 m(CKM_DSA));
         d(SIG, "DSAinP1363Format",      P11Signature,
                 s("SHA1withDSAinP1363Format"),
                 m(CKM_DSA_SHA1, CKM_DSA));
+
         d(SIG, "NONEwithECDSA", P11Signature,
                 m(CKM_ECDSA));
         d(SIG, "SHA1withECDSA", P11Signature,
@@ -743,6 +790,19 @@
         d(SIG, "SHA512withRSA", P11Signature,
                 s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"),
                 m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+        d(SIG, "RSASSA-PSS", P11PSSSignature,
+                s("1.2.840.113549.1.1.10", "OID.1.2.840.113549.1.1.10"),
+                m(CKM_RSA_PKCS_PSS));
+        d(SIG, "SHA1withRSASSA-PSS", P11PSSSignature,
+                m(CKM_SHA1_RSA_PKCS_PSS));
+        d(SIG, "SHA224withRSASSA-PSS", P11PSSSignature,
+                m(CKM_SHA224_RSA_PKCS_PSS));
+        d(SIG, "SHA256withRSASSA-PSS", P11PSSSignature,
+                m(CKM_SHA256_RSA_PKCS_PSS));
+        d(SIG, "SHA384withRSASSA-PSS", P11PSSSignature,
+                m(CKM_SHA384_RSA_PKCS_PSS));
+        d(SIG, "SHA512withRSASSA-PSS", P11PSSSignature,
+                m(CKM_SHA512_RSA_PKCS_PSS));
 
         d(KG, "SunTlsRsaPremasterSecret",
                     "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
@@ -1008,11 +1068,17 @@
             } else if (type == CIP) {
                 if (algorithm.startsWith("RSA")) {
                     return new P11RSACipher(token, algorithm, mechanism);
+                } else if (algorithm.endsWith("GCM/NoPadding")) {
+                    return new P11AEADCipher(token, algorithm, mechanism);
                 } else {
                     return new P11Cipher(token, algorithm, mechanism);
                 }
             } else if (type == SIG) {
-                return new P11Signature(token, algorithm, mechanism);
+                if (algorithm.indexOf("RSASSA-PSS") != -1) {
+                    return new P11PSSSignature(token, algorithm, mechanism);
+                } else {
+                    return new P11Signature(token, algorithm, mechanism);
+                }
             } else if (type == MAC) {
                 return new P11Mac(token, algorithm, mechanism);
             } else if (type == KPG) {
@@ -1051,7 +1117,14 @@
             } else if (type == KS) {
                 return token.getKeyStore();
             } else if (type == AGP) {
-                return new sun.security.util.ECParameters();
+                if (algorithm == "EC") {
+                    return new sun.security.util.ECParameters();
+                } else if (algorithm == "GCM") {
+                    return new sun.security.util.GCMParameters();
+                } else {
+                    throw new NoSuchAlgorithmException("Unsupported algorithm: "
+                            + algorithm);
+                }
             } else {
                 throw new NoSuchAlgorithmException("Unknown type: " + type);
             }
@@ -1070,7 +1143,7 @@
             String keyAlgorithm = key.getAlgorithm();
             // RSA signatures and cipher
             if (((type == CIP) && algorithm.startsWith("RSA"))
-                    || (type == SIG) && algorithm.endsWith("RSA")) {
+                    || (type == SIG) && (algorithm.indexOf("RSA") != -1)) {
                 if (keyAlgorithm.equals("RSA") == false) {
                     return false;
                 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_CCM_PARAMS.java	Tue Jun 11 21:30:28 2019 +0000
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11.wrapper;
+
+/**
+ * This class represents the necessary parameters required by
+ * the CKM_AES_CCM mechanism as defined in CK_CCM_PARAMS structure.<p>
+ * <B>PKCS#11 structure:</B>
+ * <PRE>
+ * typedef struct CK_CCM_PARAMS {
+ *   CK_ULONG ulDataLen;
+ *   CK_BYTE_PTR pNonce;
+ *   CK_ULONG ulNonceLen;
+ *   CK_BYTE_PTR pAAD;
+ *   CK_ULONG ulAADLen;
+ *   CK_ULONG ulMACLen;
+ * } CK_CCM_PARAMS;
+ * </PRE>
+ *
+ * @since   13
+ */
+public class CK_CCM_PARAMS {
+
+    private final long dataLen;
+    private final byte[] nonce;
+    private final byte[] aad;
+    private final long macLen;
+
+    public CK_CCM_PARAMS(int tagLen, byte[] iv, byte[] aad, int dataLen) {
+        this.dataLen = dataLen;
+        this.nonce = iv;
+        this.aad = aad;
+        this.macLen = tagLen;
+    }
+
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+
+        sb.append(Constants.INDENT);
+        sb.append("ulDataLen: ");
+        sb.append(dataLen);
+        sb.append(Constants.NEWLINE);
+
+        sb.append(Constants.INDENT);
+        sb.append("iv: ");
+        sb.append(Functions.toHexString(nonce));
+        sb.append(Constants.NEWLINE);
+
+        sb.append(Constants.INDENT);
+        sb.append("aad: ");
+        sb.append(Functions.toHexString(aad));
+        sb.append(Constants.NEWLINE);
+
+        sb.append(Constants.INDENT);
+        sb.append("tagLen: ");
+        sb.append(macLen);
+
+        return sb.toString();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_GCM_PARAMS.java	Tue Jun 11 21:30:28 2019 +0000
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11.wrapper;
+
+/**
+ * This class represents the necessary parameters required by
+ * the CKM_AES_GCM mechanism as defined in CK_GCM_PARAMS structure.<p>
+ * <B>PKCS#11 structure:</B>
+ * <PRE>
+ * typedef struct CK_GCM_PARAMS {
+ *    CK_BYTE_PTR       pIv;
+ *    CK_ULONG          ulIvLen;
+ *    CK_BYTE_PTR       pAAD;
+ *    CK_ULONG          ulAADLen;
+ *    CK_ULONG          ulTagBits;
+ * } CK_GCM_PARAMS;
+ * </PRE>
+ *
+ * @since   10
+ */
+public class CK_GCM_PARAMS {
+
+    private final byte[] iv;
+    private final byte[] aad;
+    private final long tagBits;
+
+    public CK_GCM_PARAMS(int tagLenInBits, byte[] iv, byte[] aad) {
+        this.iv = iv;
+        this.aad = aad;
+        this.tagBits = tagLenInBits;
+    }
+
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+
+        sb.append(Constants.INDENT);
+        sb.append("iv: ");
+        sb.append(Functions.toHexString(iv));
+        sb.append(Constants.NEWLINE);
+
+        sb.append(Constants.INDENT);
+        sb.append("aad: ");
+        sb.append(Functions.toHexString(aad));
+        sb.append(Constants.NEWLINE);
+
+        sb.append(Constants.INDENT);
+        sb.append("tagLen(in bits): ");
+        sb.append(tagBits);
+
+        return sb.toString();
+    }
+}
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -82,11 +82,15 @@
      *   CK_ULONG ulParameterLen;
      * </PRE>
      */
-    public Object pParameter;
+    public Object pParameter = null;
 
-    public CK_MECHANISM() {
-        // empty
-    }
+    // pointer to native CK_MECHANISM structure
+    // For mechanisms which have only mechanism id, the native structure
+    // can be freed right after init and this field will not be used. However,
+    // for mechanisms which have both mechanism id and parameters, it can
+    // only be freed after operation is finished. Thus, the native pointer
+    // will be stored here and then be explicitly freed by caller.
+    private long pHandle = 0L;
 
     public CK_MECHANISM(long mechanism) {
         this.mechanism = mechanism;
@@ -95,7 +99,6 @@
     // We don't have a (long,Object) constructor to force type checking.
     // This makes sure we don't accidentally pass a class that the native
     // code cannot handle.
-
     public CK_MECHANISM(long mechanism, byte[] pParameter) {
         init(mechanism, pParameter);
     }
@@ -144,6 +147,33 @@
         init(mechanism, params);
     }
 
+    public CK_MECHANISM(long mechanism, CK_GCM_PARAMS params) {
+        init(mechanism, params);
+    }
+
+    public CK_MECHANISM(long mechanism, CK_CCM_PARAMS params) {
+        init(mechanism, params);
+    }
+
+    // For PSS. the parameter may be set multiple times, use the
+    // CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS)
+    // methods instead of creating yet another constructor
+    public void setParameter(CK_RSA_PKCS_PSS_PARAMS params) {
+        assert(this.mechanism == CKM_RSA_PKCS_PSS);
+        assert(params != null);
+        if (this.pParameter != null && this.pParameter.equals(params)) {
+            return;
+        }
+        freeHandle();
+        this.pParameter = params;
+    }
+
+    public void freeHandle() {
+        if (this.pHandle != 0L) {
+            this.pHandle = PKCS11.freeMechanism(pHandle);
+        }
+    }
+
     private void init(long mechanism, Object pParameter) {
         this.mechanism = mechanism;
         this.pParameter = pParameter;
@@ -167,12 +197,17 @@
         sb.append(pParameter.toString());
         sb.append(Constants.NEWLINE);
 
+        /*
         sb.append(Constants.INDENT);
         sb.append("ulParameterLen: ??");
-        //buffer.append(pParameter.length);
-        //buffer.append(Constants.NEWLINE);
-
+        sb.append(Constants.NEWLINE);
+        */
+        if (pHandle != 0L) {
+            sb.append(Constants.INDENT);
+            sb.append("pHandle: ");
+            sb.append(pHandle);
+            sb.append(Constants.NEWLINE);
+        }
         return sb.toString() ;
     }
-
 }
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,118 +1,105 @@
 /*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
- */
-/* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
- * Redistribution and use in  source and binary forms, with or without
- * modification, are permitted  provided that the following conditions are met:
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
  *
- * 1. Redistributions of  source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
  *
- * 2. Redistributions in  binary form must reproduce the above copyright notice,
- *    this list of conditions and the following disclaimer in the documentation
- *    and/or other materials provided with the distribution.
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  *
- * 3. The end-user documentation included with the redistribution, if any, must
- *    include the following acknowledgment:
- *
- *    "This product includes software developed by IAIK of Graz University of
- *     Technology."
- *
- *    Alternately, this acknowledgment may appear in the software itself, if
- *    and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Graz University of Technology" and "IAIK of Graz University of
- *    Technology" must not be used to endorse or promote products derived from
- *    this software without prior written permission.
- *
- * 5. Products derived from this software may not be called
- *    "IAIK PKCS Wrapper", nor may "IAIK" appear in their name, without prior
- *    written permission of Graz University of Technology.
- *
- *  THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
- *  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- *  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- *  PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE LICENSOR BE
- *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *  OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- *  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
- *  OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- *  ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- *  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- *  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *  POSSIBILITY  OF SUCH DAMAGE.
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
  */
 
 package sun.security.pkcs11.wrapper;
 
+import java.security.ProviderException;
+import java.security.spec.PSSParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
 
 
 /**
- * class CK_RSA_PKCS_PSS_PARAMS provides the parameters to the CKM_RSA_PKCS_OAEP
- * mechanism.<p>
+ * This class represents the necessary parameters required by the
+ * CKM_RSA_PKCS_PSS mechanism as defined in CK_RSA_PKCS_PSS_PARAMS structure.<p>
  * <B>PKCS#11 structure:</B>
  * <PRE>
  * typedef struct CK_RSA_PKCS_PSS_PARAMS {
- *   CK_MECHANISM_TYPE hashAlg;
- *   CK_RSA_PKCS_MGF_TYPE mgf;
- *   CK_ULONG sLen;
+ *    CK_MECHANISM_TYPE    hashAlg;
+ *    CK_RSA_PKCS_MGF_TYPE mgf;
+ *    CK_ULONG             sLen;
  * } CK_RSA_PKCS_PSS_PARAMS;
  * </PRE>
  *
- * @author Karl Scheibelhofer <Karl.Scheibelhofer@iaik.at>
+ * @since   13
  */
 public class CK_RSA_PKCS_PSS_PARAMS {
 
-    /**
-     * <B>PKCS#11:</B>
-     * <PRE>
-     *   CK_MECHANISM_TYPE hashAlg;
-     * </PRE>
-     */
-    public long hashAlg;
+    private final long hashAlg;
+    private final long mgf;
+    private final long sLen;
 
-    /**
-     * <B>PKCS#11:</B>
-     * <PRE>
-     *   CK_RSA_PKCS_MGF_TYPE mgf;
-     * </PRE>
-     */
-    public long mgf;
+    public CK_RSA_PKCS_PSS_PARAMS(String hashAlg, String mgfAlg,
+            String mgfHash, int sLen) {
+        this.hashAlg = Functions.getHashMechId(hashAlg);
+        if (!mgfAlg.equals("MGF1")) {
+            throw new ProviderException("Only MGF1 is supported");
+        }
+        // no dash in PKCS#11 mechanism names
+        this.mgf = Functions.getMGFId("CKG_MGF1_" + hashAlg.replaceFirst("-", ""));
+        this.sLen = sLen;
+    }
 
-    /**
-     * <B>PKCS#11:</B>
-     * <PRE>
-     *   CK_ULONG sLen;
-     * </PRE>
-     */
-    public long sLen;
+    @Override
+    public boolean equals(Object o) {
+        if (o == this) {
+            return true;
+        }
 
-    /**
-     * Returns the string representation of CK_PKCS5_PBKD2_PARAMS.
-     *
-     * @return the string representation of CK_PKCS5_PBKD2_PARAMS
-     */
+        if (!(o instanceof CK_RSA_PKCS_PSS_PARAMS)) {
+            return false;
+        }
+
+        CK_RSA_PKCS_PSS_PARAMS other = (CK_RSA_PKCS_PSS_PARAMS) o;
+        return ((other.hashAlg == hashAlg) &&
+                (other.mgf == mgf) &&
+                (other.sLen == sLen));
+    }
+
+    @Override
+    public int hashCode() {
+        return (int)(hashAlg << 2 + mgf << 1 + sLen);
+    }
+
+    @Override
     public String toString() {
         StringBuilder sb = new StringBuilder();
 
         sb.append(Constants.INDENT);
-        sb.append("hashAlg: 0x");
+        sb.append("hashAlg: ");
         sb.append(Functions.toFullHexString(hashAlg));
         sb.append(Constants.NEWLINE);
 
         sb.append(Constants.INDENT);
-        sb.append("mgf: 0x");
+        sb.append("mgf: ");
         sb.append(Functions.toFullHexString(mgf));
         sb.append(Constants.NEWLINE);
 
         sb.append(Constants.INDENT);
-        sb.append("sLen: ");
+        sb.append("sLen(in bytes): ");
         sb.append(sLen);
-        //buffer.append(Constants.NEWLINE);
 
         return sb.toString();
     }
-
 }
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -97,6 +97,13 @@
     private static final Map<String,Integer> objectClassIds =
         new HashMap<String,Integer>();
 
+    // MGFs (CKG_*)
+    private static final Map<Integer,String> mgfNames =
+        new HashMap<Integer,String>();
+
+    private static final Map<String,Integer> mgfIds =
+        new HashMap<String,Integer>();
+
     /**
      * For converting numbers to their hex presentation.
      */
@@ -401,7 +408,11 @@
             name = nameMap.get(Integer.valueOf((int)id));
         }
         if (name == null) {
-            name = "Unknown 0x" + toFullHexString(id);
+            if ((id & CKM_VENDOR_DEFINED) != 0) {
+                name = "(Vendor-Specific) 0x" + toFullHexString(id);
+            } else {
+                name = "(Unknown) 0x" + toFullHexString(id);
+            }
         }
         return name;
     }
@@ -450,6 +461,14 @@
         return hashMechIds.get(name);
     }
 
+    public static String getMGFName(long id) {
+        return getName(mgfNames, id);
+    }
+
+    public static long getMGFId(String name) {
+        return getId(mgfIds, name);
+    }
+
     /**
      * Check the given arrays for equalitiy. This method considers both arrays as
      * equal, if both are <code>null</code> or both have the same length and
@@ -595,8 +614,14 @@
         addMapping(objectClassNames, objectClassIds, id, name);
     }
 
-    private static void addHashMech(long id, String name) {
-        hashMechIds.put(name, id);
+    private static void addHashMech(long id, String... names) {
+        for (String n : names) {
+            hashMechIds.put(n, id);
+        }
+    }
+
+    private static void addMGF(long id, String name) {
+        addMapping(mgfNames, mgfIds, id, name);
     }
 
     static {
@@ -618,16 +643,27 @@
         addMech(CKM_DSA_KEY_PAIR_GEN,           "CKM_DSA_KEY_PAIR_GEN");
         addMech(CKM_DSA,                        "CKM_DSA");
         addMech(CKM_DSA_SHA1,                   "CKM_DSA_SHA1");
+        addMech(CKM_DSA_SHA224,                 "CKM_DSA_SHA224");
+        addMech(CKM_DSA_SHA256,                 "CKM_DSA_SHA256");
+        addMech(CKM_DSA_SHA384,                 "CKM_DSA_SHA384");
+        addMech(CKM_DSA_SHA512,                 "CKM_DSA_SHA512");
+
         addMech(CKM_DH_PKCS_KEY_PAIR_GEN,       "CKM_DH_PKCS_KEY_PAIR_GEN");
         addMech(CKM_DH_PKCS_DERIVE,             "CKM_DH_PKCS_DERIVE");
         addMech(CKM_X9_42_DH_KEY_PAIR_GEN,      "CKM_X9_42_DH_KEY_PAIR_GEN");
         addMech(CKM_X9_42_DH_DERIVE,            "CKM_X9_42_DH_DERIVE");
         addMech(CKM_X9_42_DH_HYBRID_DERIVE,     "CKM_X9_42_DH_HYBRID_DERIVE");
         addMech(CKM_X9_42_MQV_DERIVE,           "CKM_X9_42_MQV_DERIVE");
-        addMech(CKM_SHA224_RSA_PKCS,            "CKM_SHA224_RSA_PKCS");
+
         addMech(CKM_SHA256_RSA_PKCS,            "CKM_SHA256_RSA_PKCS");
         addMech(CKM_SHA384_RSA_PKCS,            "CKM_SHA384_RSA_PKCS");
         addMech(CKM_SHA512_RSA_PKCS,            "CKM_SHA512_RSA_PKCS");
+        addMech(CKM_SHA256_RSA_PKCS_PSS,        "CKM_SHA256_RSA_PKCS_PSS");
+        addMech(CKM_SHA384_RSA_PKCS_PSS,        "CKM_SHA384_RSA_PKCS_PSS");
+        addMech(CKM_SHA512_RSA_PKCS_PSS,        "CKM_SHA512_RSA_PKCS_PSS");
+        addMech(CKM_SHA224_RSA_PKCS,            "CKM_SHA224_RSA_PKCS");
+        addMech(CKM_SHA224_RSA_PKCS_PSS,        "CKM_SHA224_RSA_PKCS_PSS");
+
         addMech(CKM_RC2_KEY_GEN,                "CKM_RC2_KEY_GEN");
         addMech(CKM_RC2_ECB,                    "CKM_RC2_ECB");
         addMech(CKM_RC2_CBC,                    "CKM_RC2_CBC");
@@ -649,12 +685,21 @@
         addMech(CKM_DES3_MAC,                   "CKM_DES3_MAC");
         addMech(CKM_DES3_MAC_GENERAL,           "CKM_DES3_MAC_GENERAL");
         addMech(CKM_DES3_CBC_PAD,               "CKM_DES3_CBC_PAD");
+        addMech(CKM_DES3_CMAC_GENERAL,          "CKM_DES3_CMAC_GENERAL");
+        addMech(CKM_DES3_CMAC,                  "CKM_DES3_CMAC");
+
         addMech(CKM_CDMF_KEY_GEN,               "CKM_CDMF_KEY_GEN");
         addMech(CKM_CDMF_ECB,                   "CKM_CDMF_ECB");
         addMech(CKM_CDMF_CBC,                   "CKM_CDMF_CBC");
         addMech(CKM_CDMF_MAC,                   "CKM_CDMF_MAC");
         addMech(CKM_CDMF_MAC_GENERAL,           "CKM_CDMF_MAC_GENERAL");
         addMech(CKM_CDMF_CBC_PAD,               "CKM_CDMF_CBC_PAD");
+
+        addMech(CKM_DES_OFB64,                  "CKM_DES_OFB64");
+        addMech(CKM_DES_OFB8,                   "CKM_DES_OFB8");
+        addMech(CKM_DES_CFB64,                  "CKM_DES_CFB64");
+        addMech(CKM_DES_CFB8,                   "CKM_DES_CFB8");
+
         addMech(CKM_MD2,                        "CKM_MD2");
         addMech(CKM_MD2_HMAC,                   "CKM_MD2_HMAC");
         addMech(CKM_MD2_HMAC_GENERAL,           "CKM_MD2_HMAC_GENERAL");
@@ -682,6 +727,26 @@
         addMech(CKM_SHA512,                     "CKM_SHA512");
         addMech(CKM_SHA512_HMAC,                "CKM_SHA512_HMAC");
         addMech(CKM_SHA512_HMAC_GENERAL,        "CKM_SHA512_HMAC_GENERAL");
+        addMech(CKM_SHA512_224,                 "CKM_SHA512_224");
+        addMech(CKM_SHA512_224_HMAC,            "CKM_SHA512_224_HMAC");
+        addMech(CKM_SHA512_224_HMAC_GENERAL,    "CKM_SHA512_224_HMAC_GENERAL");
+        addMech(CKM_SHA512_224_KEY_DERIVATION,  "CKM_SHA512_224_KEY_DERIVATION");
+        addMech(CKM_SHA512_256,                 "CKM_SHA512_256");
+        addMech(CKM_SHA512_256_HMAC,            "CKM_SHA512_256_HMAC");
+        addMech(CKM_SHA512_256_HMAC_GENERAL,    "CKM_SHA512_256_HMAC_GENERAL");
+        addMech(CKM_SHA512_256_KEY_DERIVATION,  "CKM_SHA512_256_KEY_DERIVATION");
+        addMech(CKM_SHA512_T,                   "CKM_SHA512_T");
+        addMech(CKM_SHA512_T_HMAC,              "CKM_SHA512_T_HMAC");
+        addMech(CKM_SHA512_T_HMAC_GENERAL,      "CKM_SHA512_T_HMAC_GENERAL");
+        addMech(CKM_SHA512_T_KEY_DERIVATION,    "CKM_SHA512_T_KEY_DERIVATION");
+
+        addMech(CKM_SECURID_KEY_GEN,            "CKM_SECURID_KEY_GEN");
+        addMech(CKM_SECURID,                    "CKM_SECURID");
+        addMech(CKM_HOTP_KEY_GEN,               "CKM_HOTP_KEY_GEN");
+        addMech(CKM_HOTP,                       "CKM_HOTP");
+        addMech(CKM_ACTI,                       "CKM_ACTI");
+        addMech(CKM_ACTI_KEY_GEN,               "CKM_ACTI_KEY_GEN");
+
         addMech(CKM_CAST_KEY_GEN,               "CKM_CAST_KEY_GEN");
         addMech(CKM_CAST_ECB,                   "CKM_CAST_ECB");
         addMech(CKM_CAST_CBC,                   "CKM_CAST_CBC");
@@ -729,10 +794,7 @@
         addMech(CKM_TLS_PRF,                    "CKM_TLS_PRF");
         addMech(CKM_SSL3_MD5_MAC,               "CKM_SSL3_MD5_MAC");
         addMech(CKM_SSL3_SHA1_MAC,              "CKM_SSL3_SHA1_MAC");
-        addMech(CKM_TLS12_MASTER_KEY_DERIVE,    "CKM_TLS12_MASTER_KEY_DERIVE");
-        addMech(CKM_TLS12_KEY_AND_MAC_DERIVE,   "CKM_TLS12_KEY_AND_MAC_DERIVE");
-        addMech(CKM_TLS12_MASTER_KEY_DERIVE_DH, "CKM_TLS12_MASTER_KEY_DERIVE_DH");
-        addMech(CKM_TLS_MAC,                    "CKM_TLS_MAC");
+
         addMech(CKM_MD5_KEY_DERIVATION,         "CKM_MD5_KEY_DERIVATION");
         addMech(CKM_MD2_KEY_DERIVATION,         "CKM_MD2_KEY_DERIVATION");
         addMech(CKM_SHA1_KEY_DERIVATION,        "CKM_SHA1_KEY_DERIVATION");
@@ -754,8 +816,62 @@
         addMech(CKM_PBE_SHA1_RC2_40_CBC,        "CKM_PBE_SHA1_RC2_40_CBC");
         addMech(CKM_PKCS5_PBKD2,                "CKM_PKCS5_PBKD2");
         addMech(CKM_PBA_SHA1_WITH_SHA1_HMAC,    "CKM_PBA_SHA1_WITH_SHA1_HMAC");
+
+        addMech(CKM_WTLS_PRE_MASTER_KEY_GEN,    "CKM_WTLS_PRE_MASTER_KEY_GEN");
+        addMech(CKM_WTLS_MASTER_KEY_DERIVE,     "CKM_WTLS_MASTER_KEY_DERIVE");
+        addMech(CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC,
+                                                "CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC");
+        addMech(CKM_WTLS_PRF,                   "CKM_WTLS_PRF");
+        addMech(CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE,
+                                                "CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE");
+        addMech(CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE,
+                                                "CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE");
+        addMech(CKM_TLS10_MAC_SERVER,           "CKM_TLS10_MAC_SERVER");
+        addMech(CKM_TLS10_MAC_CLIENT,           "CKM_TLS10_MAC_CLIENT");
+        addMech(CKM_TLS12_MAC,                  "CKM_TLS12_MAC");
+        addMech(CKM_TLS12_KDF,                  "CKM_TLS12_KDF");
+        addMech(CKM_TLS12_MASTER_KEY_DERIVE,    "CKM_TLS12_MASTER_KEY_DERIVE");
+        addMech(CKM_TLS12_KEY_AND_MAC_DERIVE,   "CKM_TLS12_KEY_AND_MAC_DERIVE");
+        addMech(CKM_TLS12_MASTER_KEY_DERIVE_DH, "CKM_TLS12_MASTER_KEY_DERIVE_DH");
+        addMech(CKM_TLS12_KEY_SAFE_DERIVE,      "CKM_TLS12_KEY_SAFE_DERIVE");
+        addMech(CKM_TLS_MAC,                    "CKM_TLS_MAC");
+        addMech(CKM_TLS_KDF,                    "CKM_TLS_KDF");
+
         addMech(CKM_KEY_WRAP_LYNKS,             "CKM_KEY_WRAP_LYNKS");
         addMech(CKM_KEY_WRAP_SET_OAEP,          "CKM_KEY_WRAP_SET_OAEP");
+
+        addMech(CKM_CMS_SIG,                    "CKM_CMS_SIG");
+        addMech(CKM_KIP_DERIVE,                 "CKM_KIP_DERIVE");
+        addMech(CKM_KIP_WRAP,                   "CKM_KIP_WRAP");
+        addMech(CKM_KIP_MAC,                    "CKM_KIP_MAC");
+        addMech(CKM_CAMELLIA_KEY_GEN,           "CKM_CAMELLIA_KEY_GEN");
+        addMech(CKM_CAMELLIA_ECB,               "CKM_CAMELLIA_ECB");
+        addMech(CKM_CAMELLIA_CBC,               "CKM_CAMELLIA_CBC");
+        addMech(CKM_CAMELLIA_MAC,               "CKM_CAMELLIA_MAC");
+        addMech(CKM_CAMELLIA_MAC_GENERAL,       "CKM_CAMELLIA_MAC_GENERAL");
+        addMech(CKM_CAMELLIA_CBC_PAD,           "CKM_CAMELLIA_CBC_PAD");
+        addMech(CKM_CAMELLIA_ECB_ENCRYPT_DATA,  "CKM_CAMELLIA_ECB_ENCRYPT_DATA");
+        addMech(CKM_CAMELLIA_CBC_ENCRYPT_DATA,  "CKM_CAMELLIA_CBC_ENCRYPT_DATA");
+        addMech(CKM_CAMELLIA_CTR,               "CKM_CAMELLIA_CTR");
+
+        addMech(CKM_ARIA_KEY_GEN,               "CKM_ARIA_KEY_GEN");
+        addMech(CKM_ARIA_ECB,                   "CKM_ARIA_ECB");
+        addMech(CKM_ARIA_CBC,                   "CKM_ARIA_CBC");
+        addMech(CKM_ARIA_MAC,                   "CKM_ARIA_MAC");
+        addMech(CKM_ARIA_MAC_GENERAL,           "CKM_ARIA_MAC_GENERAL");
+        addMech(CKM_ARIA_CBC_PAD,               "CKM_ARIA_CBC_PAD");
+        addMech(CKM_ARIA_ECB_ENCRYPT_DATA,      "CKM_ARIA_ECB_ENCRYPT_DATA");
+        addMech(CKM_ARIA_CBC_ENCRYPT_DATA,      "CKM_ARIA_CBC_ENCRYPT_DATA");
+
+        addMech(CKM_SEED_KEY_GEN,               "CKM_SEED_KEY_GEN");
+        addMech(CKM_SEED_ECB,                   "CKM_SEED_ECB");
+        addMech(CKM_SEED_CBC,                   "CKM_SEED_CBC");
+        addMech(CKM_SEED_MAC,                   "CKM_SEED_MAC");
+        addMech(CKM_SEED_MAC_GENERAL,           "CKM_SEED_MAC_GENERAL");
+        addMech(CKM_SEED_CBC_PAD,               "CKM_SEED_CBC_PAD");
+        addMech(CKM_SEED_ECB_ENCRYPT_DATA,      "CKM_SEED_ECB_ENCRYPT_DATA");
+        addMech(CKM_SEED_CBC_ENCRYPT_DATA,      "CKM_SEED_CBC_ENCRYPT_DATA");
+
         addMech(CKM_SKIPJACK_KEY_GEN,           "CKM_SKIPJACK_KEY_GEN");
         addMech(CKM_SKIPJACK_ECB64,             "CKM_SKIPJACK_ECB64");
         addMech(CKM_SKIPJACK_CBC64,             "CKM_SKIPJACK_CBC64");
@@ -780,9 +896,17 @@
         addMech(CKM_EC_KEY_PAIR_GEN,            "CKM_EC_KEY_PAIR_GEN");
         addMech(CKM_ECDSA,                      "CKM_ECDSA");
         addMech(CKM_ECDSA_SHA1,                 "CKM_ECDSA_SHA1");
+        addMech(CKM_ECDSA_SHA224,               "CKM_ECDSA_SHA224");
+        addMech(CKM_ECDSA_SHA256,               "CKM_ECDSA_SHA256");
+        addMech(CKM_ECDSA_SHA384,               "CKM_ECDSA_SHA384");
+        addMech(CKM_ECDSA_SHA512,               "CKM_ECDSA_SHA512");
+
         addMech(CKM_ECDH1_DERIVE,               "CKM_ECDH1_DERIVE");
         addMech(CKM_ECDH1_COFACTOR_DERIVE,      "CKM_ECDH1_COFACTOR_DERIVE");
         addMech(CKM_ECMQV_DERIVE,               "CKM_ECMQV_DERIVE");
+        addMech(CKM_ECDH_AES_KEY_WRAP,          "CKM_ECDH_AES_KEY_WRAP");
+        addMech(CKM_RSA_AES_KEY_WRAP,           "CKM_RSA_AES_KEY_WRAP");
+
         addMech(CKM_JUNIPER_KEY_GEN,            "CKM_JUNIPER_KEY_GEN");
         addMech(CKM_JUNIPER_ECB128,             "CKM_JUNIPER_ECB128");
         addMech(CKM_JUNIPER_CBC128,             "CKM_JUNIPER_CBC128");
@@ -796,11 +920,61 @@
         addMech(CKM_AES_MAC,                    "CKM_AES_MAC");
         addMech(CKM_AES_MAC_GENERAL,            "CKM_AES_MAC_GENERAL");
         addMech(CKM_AES_CBC_PAD,                "CKM_AES_CBC_PAD");
+        addMech(CKM_AES_CTR,                    "CKM_AES_CTR");
+        addMech(CKM_AES_GCM,                    "CKM_AES_GCM");
+        addMech(CKM_AES_CCM,                    "CKM_AES_CCM");
+        addMech(CKM_AES_CTS,                    "CKM_AES_CTS");
+        addMech(CKM_AES_CMAC,                   "CKM_AES_CMAC");
+        addMech(CKM_AES_CMAC_GENERAL,           "CKM_AES_CMAC_GENERAL");
+        addMech(CKM_AES_XCBC_MAC,               "CKM_AES_XCBC_MAC");
+        addMech(CKM_AES_XCBC_MAC_96,            "CKM_AES_XCBC_MAC_96");
+        addMech(CKM_AES_GMAC,                   "CKM_AES_GMAC");
+
         addMech(CKM_BLOWFISH_KEY_GEN,           "CKM_BLOWFISH_KEY_GEN");
         addMech(CKM_BLOWFISH_CBC,               "CKM_BLOWFISH_CBC");
+        addMech(CKM_TWOFISH_KEY_GEN,            "CKM_TWOFISH_KEY_GEN");
+        addMech(CKM_TWOFISH_CBC,                "CKM_TWOFISH_CBC");
+        addMech(CKM_BLOWFISH_CBC_PAD,           "CKM_BLOWFISH_CBC_PAD");
+        addMech(CKM_TWOFISH_CBC_PAD,            "CKM_TWOFISH_CBC_PAD");
+
+        addMech(CKM_DES_ECB_ENCRYPT_DATA,       "CKM_DES_ECB_ENCRYPT_DATA");
+        addMech(CKM_DES_CBC_ENCRYPT_DATA,       "CKM_DES_CBC_ENCRYPT_DATA");
+        addMech(CKM_DES3_ECB_ENCRYPT_DATA,      "CKM_DES3_ECB_ENCRYPT_DATA");
+        addMech(CKM_DES3_CBC_ENCRYPT_DATA,      "CKM_DES3_CBC_ENCRYPT_DATA");
+        addMech(CKM_AES_ECB_ENCRYPT_DATA,       "CKM_AES_ECB_ENCRYPT_DATA");
+        addMech(CKM_AES_CBC_ENCRYPT_DATA,       "CKM_AES_CBC_ENCRYPT_DATA");
+
+        addMech(CKM_GOSTR3410_KEY_PAIR_GEN,     "CKM_GOSTR3410_KEY_PAIR_GEN");
+        addMech(CKM_GOSTR3410,                  "CKM_GOSTR3410");
+        addMech(CKM_GOSTR3410_WITH_GOSTR3411,   "CKM_GOSTR3410_WITH_GOSTR3411");
+        addMech(CKM_GOSTR3410_KEY_WRAP,         "CKM_GOSTR3410_KEY_WRAP");
+        addMech(CKM_GOSTR3410_DERIVE,           "CKM_GOSTR3410_DERIVE");
+        addMech(CKM_GOSTR3411,                  "CKM_GOSTR3411");
+        addMech(CKM_GOSTR3411_HMAC,             "CKM_GOSTR3411_HMAC");
+        addMech(CKM_GOST28147_KEY_GEN,          "CKM_GOST28147_KEY_GEN");
+        addMech(CKM_GOST28147_ECB,              "CKM_GOST28147_ECB");
+        addMech(CKM_GOST28147,                  "CKM_GOST28147");
+        addMech(CKM_GOST28147_MAC,              "CKM_GOST28147_MAC");
+        addMech(CKM_GOST28147_KEY_WRAP,         "CKM_GOST28147_KEY_WRAP");
+
         addMech(CKM_DSA_PARAMETER_GEN,          "CKM_DSA_PARAMETER_GEN");
         addMech(CKM_DH_PKCS_PARAMETER_GEN,      "CKM_DH_PKCS_PARAMETER_GEN");
         addMech(CKM_X9_42_DH_PARAMETER_GEN,     "CKM_X9_42_DH_PARAMETER_GEN");
+        addMech(CKM_DSA_PROBABLISTIC_PARAMETER_GEN,
+                                                "CKM_DSA_PROBABLISTIC_PARAMETER_GEN");
+        addMech(CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN,
+                                                "CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN");
+        addMech(CKM_AES_OFB,                    "CKM_AES_OFB");
+        addMech(CKM_AES_CFB64,                  "CKM_AES_CFB64");
+        addMech(CKM_AES_CFB8,                   "CKM_AES_CFB8");
+        addMech(CKM_AES_CFB128,                 "CKM_AES_CFB128");
+        addMech(CKM_AES_CFB1,                   "CKM_AES_CFB1");
+        addMech(CKM_AES_KEY_WRAP,               "CKM_AES_KEY_WRAP");
+        addMech(CKM_AES_KEY_WRAP_PAD,           "CKM_AES_KEY_WRAP_PAD");
+
+        addMech(CKM_RSA_PKCS_TPM_1_1,           "CKM_RSA_PKCS_TPM_1_1");
+        addMech(CKM_RSA_PKCS_OAEP_TPM_1_1,      "CKM_RSA_PKCS_OAEP_TPM_1_1");
+
         addMech(CKM_VENDOR_DEFINED,             "CKM_VENDOR_DEFINED");
 
         addMech(CKM_NSS_TLS_PRF_GENERAL,        "CKM_NSS_TLS_PRF_GENERAL");
@@ -808,11 +982,13 @@
         addMech(PCKM_SECURERANDOM,              "SecureRandom");
         addMech(PCKM_KEYSTORE,                  "KeyStore");
 
-        addHashMech(CKM_SHA_1, "SHA-1");
-        addHashMech(CKM_SHA224, "SHA-224");
-        addHashMech(CKM_SHA256, "SHA-256");
-        addHashMech(CKM_SHA384, "SHA-384");
-        addHashMech(CKM_SHA512, "SHA-512");
+        addHashMech(CKM_SHA_1,                  "SHA-1", "SHA", "SHA1");
+        addHashMech(CKM_SHA224,                 "SHA-224", "SHA224");
+        addHashMech(CKM_SHA256,                 "SHA-256", "SHA256");
+        addHashMech(CKM_SHA384,                 "SHA-384", "SHA384");
+        addHashMech(CKM_SHA512,                 "SHA-512", "SHA512");
+        addHashMech(CKM_SHA512_224,             "SHA-512/224", "SHA512/224");
+        addHashMech(CKM_SHA512_256,             "SHA-512/256", "SHA512/256");
 
         addKeyType(CKK_RSA,                     "CKK_RSA");
         addKeyType(CKK_DSA,                     "CKK_DSA");
@@ -837,6 +1013,25 @@
         addKeyType(CKK_CDMF,                    "CKK_CDMF");
         addKeyType(CKK_AES,                     "CKK_AES");
         addKeyType(CKK_BLOWFISH,                "CKK_BLOWFISH");
+        addKeyType(CKK_TWOFISH,                 "CKK_TWOFISH");
+        addKeyType(CKK_SECURID,                 "CKK_SECURID");
+        addKeyType(CKK_HOTP,                    "CKK_HOTP");
+        addKeyType(CKK_ACTI,                    "CKK_ACTI");
+        addKeyType(CKK_CAMELLIA,                "CKK_CAMELLIA");
+        addKeyType(CKK_ARIA,                    "CKK_ARIA");
+        addKeyType(CKK_MD5_HMAC,                "CKK_MD5_HMAC");
+        addKeyType(CKK_SHA_1_HMAC,              "CKK_SHA_1_HMAC");
+        addKeyType(CKK_RIPEMD128_HMAC,          "CKK_RIPEMD128_HMAC");
+        addKeyType(CKK_RIPEMD160_HMAC,          "CKK_RIPEMD160_HMAC");
+        addKeyType(CKK_SHA256_HMAC,             "CKK_SHA256_HMAC");
+        addKeyType(CKK_SHA384_HMAC,             "CKK_SHA384_HMAC");
+        addKeyType(CKK_SHA512_HMAC,             "CKK_SHA512_HMAC");
+        addKeyType(CKK_SHA224_HMAC,             "CKK_SHA224_HMAC");
+        addKeyType(CKK_SEED,                    "CKK_SEED");
+        addKeyType(CKK_GOSTR3410,               "CKK_GOSTR3410");
+        addKeyType(CKK_GOSTR3411,               "CKK_GOSTR3411");
+        addKeyType(CKK_GOST28147,               "CKK_GOST28147");
+
         addKeyType(CKK_VENDOR_DEFINED,          "CKK_VENDOR_DEFINED");
 
         addKeyType(PCKK_ANY,                    "*");
@@ -855,6 +1050,16 @@
         addAttribute(CKA_OWNER,                 "CKA_OWNER");
         addAttribute(CKA_ATTR_TYPES,            "CKA_ATTR_TYPES");
         addAttribute(CKA_TRUSTED,               "CKA_TRUSTED");
+        addAttribute(CKA_CERTIFICATE_CATEGORY,  "CKA_CERTIFICATE_CATEGORY");
+        addAttribute(CKA_JAVA_MIDP_SECURITY_DOMAIN,
+                                                "CKA_JAVA_MIDP_SECURITY_DOMAIN");
+        addAttribute(CKA_URL,                   "CKA_URL");
+        addAttribute(CKA_HASH_OF_SUBJECT_PUBLIC_KEY,
+                                                "CKA_HASH_OF_SUBJECT_PUBLIC_KEY");
+        addAttribute(CKA_HASH_OF_ISSUER_PUBLIC_KEY,
+                                                "CKA_HASH_OF_ISSUER_PUBLIC_KEY");
+        addAttribute(CKA_NAME_HASH_ALGORITHM,   "CKA_NAME_HASH_ALGORITHM");
+        addAttribute(CKA_CHECK_VALUE,           "CKA_CHECK_VALUE");
         addAttribute(CKA_KEY_TYPE,              "CKA_KEY_TYPE");
         addAttribute(CKA_SUBJECT,               "CKA_SUBJECT");
         addAttribute(CKA_ID,                    "CKA_ID");
@@ -879,6 +1084,7 @@
         addAttribute(CKA_EXPONENT_1,            "CKA_EXPONENT_1");
         addAttribute(CKA_EXPONENT_2,            "CKA_EXPONENT_2");
         addAttribute(CKA_COEFFICIENT,           "CKA_COEFFICIENT");
+        addAttribute(CKA_PUBLIC_KEY_INFO,       "CKA_PUBLIC_KEY_INFO");
         addAttribute(CKA_PRIME,                 "CKA_PRIME");
         addAttribute(CKA_SUBPRIME,              "CKA_SUBPRIME");
         addAttribute(CKA_BASE,                  "CKA_BASE");
@@ -886,19 +1092,69 @@
         addAttribute(CKA_SUB_PRIME_BITS,        "CKA_SUB_PRIME_BITS");
         addAttribute(CKA_VALUE_BITS,            "CKA_VALUE_BITS");
         addAttribute(CKA_VALUE_LEN,             "CKA_VALUE_LEN");
+
         addAttribute(CKA_EXTRACTABLE,           "CKA_EXTRACTABLE");
         addAttribute(CKA_LOCAL,                 "CKA_LOCAL");
         addAttribute(CKA_NEVER_EXTRACTABLE,     "CKA_NEVER_EXTRACTABLE");
         addAttribute(CKA_ALWAYS_SENSITIVE,      "CKA_ALWAYS_SENSITIVE");
+
         addAttribute(CKA_KEY_GEN_MECHANISM,     "CKA_KEY_GEN_MECHANISM");
         addAttribute(CKA_MODIFIABLE,            "CKA_MODIFIABLE");
+        addAttribute(CKA_COPYABLE,              "CKA_COPYABLE");
+        addAttribute(CKA_DESTROYABLE,           "CKA_DESTROYABLE");
+
         addAttribute(CKA_EC_PARAMS,             "CKA_EC_PARAMS");
         addAttribute(CKA_EC_POINT,              "CKA_EC_POINT");
+
         addAttribute(CKA_SECONDARY_AUTH,        "CKA_SECONDARY_AUTH");
         addAttribute(CKA_AUTH_PIN_FLAGS,        "CKA_AUTH_PIN_FLAGS");
+        addAttribute(CKA_ALWAYS_AUTHENTICATE,   "CKA_ALWAYS_AUTHENTICATE");
+        addAttribute(CKA_WRAP_WITH_TRUSTED,     "CKA_WRAP_WITH_TRUSTED");
+        addAttribute(CKA_WRAP_TEMPLATE,         "CKA_WRAP_TEMPLATE");
+        addAttribute(CKA_UNWRAP_TEMPLATE,       "CKA_UNWRAP_TEMPLATE");
+        addAttribute(CKA_DERIVE_TEMPLATE,       "CKA_DERIVE_TEMPLATE");
+        addAttribute(CKA_OTP_FORMAT,            "CKA_OTP_FORMAT");
+        addAttribute(CKA_OTP_LENGTH,            "CKA_OTP_LENGTH");
+        addAttribute(CKA_OTP_TIME_INTERVAL,     "CKA_OTP_TIME_INTERVAL");
+        addAttribute(CKA_OTP_USER_FRIENDLY_MODE,"CKA_OTP_USER_FRIENDLY_MODE");
+        addAttribute(CKA_OTP_CHALLENGE_REQUIREMENT,
+                                                "CKA_OTP_CHALLENGE_REQUIREMENT");
+        addAttribute(CKA_OTP_TIME_REQUIREMENT,  "CKA_OTP_TIME_REQUIREMENT");
+        addAttribute(CKA_OTP_COUNTER_REQUIREMENT,
+                                                "CKA_OTP_COUNTER_REQUIREMENT");
+        addAttribute(CKA_OTP_PIN_REQUIREMENT,   "CKA_OTP_PIN_REQUIREMENT");
+        addAttribute(CKA_OTP_COUNTER,           "CKA_OTP_COUNTER");
+        addAttribute(CKA_OTP_TIME,              "CKA_OTP_TIME");
+        addAttribute(CKA_OTP_USER_IDENTIFIER,   "CKA_OTP_USER_IDENTIFIER");
+        addAttribute(CKA_OTP_SERVICE_IDENTIFIER,"CKA_OTP_SERVICE_IDENTIFIER");
+        addAttribute(CKA_OTP_SERVICE_LOGO,      "CKA_OTP_SERVICE_LOGO");
+        addAttribute(CKA_OTP_SERVICE_LOGO_TYPE, "CKA_OTP_SERVICE_LOGO_TYPE");
+        addAttribute(CKA_GOSTR3410_PARAMS,      "CKA_GOSTR3410_PARAMS");
+        addAttribute(CKA_GOSTR3411_PARAMS,      "CKA_GOSTR3411_PARAMS");
+        addAttribute(CKA_GOST28147_PARAMS,      "CKA_GOST28147_PARAMS");
+
         addAttribute(CKA_HW_FEATURE_TYPE,       "CKA_HW_FEATURE_TYPE");
         addAttribute(CKA_RESET_ON_INIT,         "CKA_RESET_ON_INIT");
         addAttribute(CKA_HAS_RESET,             "CKA_HAS_RESET");
+
+        addAttribute(CKA_PIXEL_X,               "CKA_PIXEL_X");
+        addAttribute(CKA_PIXEL_Y,               "CKA_PIXEL_Y");
+        addAttribute(CKA_RESOLUTION,            "CKA_RESOLUTION");
+        addAttribute(CKA_CHAR_ROWS,             "CKA_CHAR_ROWS");
+        addAttribute(CKA_CHAR_COLUMNS,          "CKA_CHAR_COLUMNS");
+        addAttribute(CKA_COLOR,                 "CKA_COLOR");
+        addAttribute(CKA_BITS_PER_PIXEL,        "CKA_BITS_PER_PIXEL");
+        addAttribute(CKA_CHAR_SETS,             "CKA_CHAR_SETS");
+        addAttribute(CKA_ENCODING_METHODS,      "CKA_ENCODING_METHODS");
+        addAttribute(CKA_MIME_TYPES,            "CKA_MIME_TYPES");
+        addAttribute(CKA_MECHANISM_TYPE,        "CKA_MECHANISM_TYPE");
+        addAttribute(CKA_REQUIRED_CMS_ATTRIBUTES,
+                                                "CKA_REQUIRED_CMS_ATTRIBUTES");
+        addAttribute(CKA_DEFAULT_CMS_ATTRIBUTES,"CKA_DEFAULT_CMS_ATTRIBUTES");
+        addAttribute(CKA_SUPPORTED_CMS_ATTRIBUTES,
+                                                "CKA_SUPPORTED_CMS_ATTRIBUTES");
+        addAttribute(CKA_ALLOWED_MECHANISMS,    "CKA_ALLOWED_MECHANISMS");
+
         addAttribute(CKA_VENDOR_DEFINED,        "CKA_VENDOR_DEFINED");
         addAttribute(CKA_NETSCAPE_DB,           "CKA_NETSCAPE_DB");
 
@@ -920,6 +1176,11 @@
 
         addObjectClass(PCKO_ANY,                "*");
 
+        addMGF(CKG_MGF1_SHA1,                   "CKG_MGF1_SHA1");
+        addMGF(CKG_MGF1_SHA256,                 "CKG_MGF1_SHA256");
+        addMGF(CKG_MGF1_SHA384,                 "CKG_MGF1_SHA384");
+        addMGF(CKG_MGF1_SHA512,                 "CKG_MGF1_SHA512");
+        addMGF(CKG_MGF1_SHA224,                 "CKG_MGF1_SHA224");
     }
 
 }
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -97,6 +97,12 @@
         // static initializer, hence this method is empty.
     }
 
+    /* *****************************************************************************
+     * Utility, Resource Clean up
+     ******************************************************************************/
+    // always return 0L
+    public static native long freeMechanism(long hMechanism);
+
     /**
      * The PKCS#11 module to connect to. This is the PKCS#11 driver of the token;
      * e.g. pk2priv.dll.
@@ -729,17 +735,25 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @param pData the data to get encrypted and the data's length
+     * @param directIn the address of the to-be-encrypted data
+     * @param in buffer containing the to-be-encrypted data
+     * @param inOfs buffer offset of the to-be-encrypted data
+     * @param inLen length of the to-be-encrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG ulDataLen)
-     * @return the encrypted data and the encrypted data's length
+     * @param directOut the address for the encrypted data
+     * @param out buffer for the encrypted data
+     * @param outOfs buffer offset for the encrypted data
+     * @param outLen buffer size for the encrypted data
+     * @return the length of encrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pEncryptedData,
      *                         CK_ULONG_PTR pulEncryptedDataLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
-     * @preconditions (pData <> null)
-     * @postconditions (result <> null)
+     * @preconditions
+     * @postconditions
      */
-    public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen,
-            byte[] out, int outOfs, int outLen) throws PKCS11Exception;
+    public native int C_Encrypt(long hSession, long directIn, byte[] in,
+            int inOfs, int inLen, long directOut, byte[] out, int outOfs,
+            int outLen) throws PKCS11Exception;
 
 
     /**
@@ -749,13 +763,20 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @param pPart the data part to get encrypted and the data part's length
+     * @param directIn the address of the to-be-encrypted data
+     * @param in buffer containing the to-be-encrypted data
+     * @param inOfs buffer offset of the to-be-encrypted data
+     * @param inLen length of the to-be-encrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG ulPartLen)
-     * @return the encrypted data part and the encrypted data part's length
+     * @param directOut the address for the encrypted data
+     * @param out buffer for the encrypted data
+     * @param outOfs buffer offset for the encrypted data
+     * @param outLen buffer size for the encrypted data
+     * @return the length of encrypted data for this update
      *         (PKCS#11 param: CK_BYTE_PTR pEncryptedPart,
                              CK_ULONG_PTR pulEncryptedPartLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
-     * @preconditions (pPart <> null)
+     * @preconditions
      * @postconditions
      */
     public native int C_EncryptUpdate(long hSession, long directIn, byte[] in,
@@ -770,12 +791,16 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @return the last encrypted data part and the last data part's length
+     * @param directOut the address for the encrypted data
+     * @param out buffer for the encrypted data
+     * @param outOfs buffer offset for the encrypted data
+     * @param outLen buffer size for the encrypted data
+     * @return the length of the last part of the encrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pLastEncryptedPart,
                              CK_ULONG_PTR pulLastEncryptedPartLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
      * @preconditions
-     * @postconditions (result <> null)
+     * @postconditions
      */
     public native int C_EncryptFinal(long hSession, long directOut, byte[] out,
             int outOfs, int outLen) throws PKCS11Exception;
@@ -805,18 +830,25 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @param pEncryptedData the encrypted data to get decrypted and the
-     *         encrypted data's length
-     *         (PKCS#11 param: CK_BYTE_PTR pEncryptedData,
-     *                         CK_ULONG ulEncryptedDataLen)
-     * @return the decrypted data and the data's length
+     * @param directIn the address of the to-be-decrypted data
+     * @param in buffer containing the to-be-decrypted data
+     * @param inOfs buffer offset of the to-be-decrypted data
+     * @param inLen length of the to-be-decrypted data
+     *         (PKCS#11 param: CK_BYTE_PTR pDecryptedData,
+     *                         CK_ULONG ulDecryptedDataLen)
+     * @param directOut the address for the decrypted data
+     * @param out buffer for the decrypted data
+     * @param outOfs buffer offset for the decrypted data
+     * @param outLen buffer size for the decrypted data
+     * @return the length of decrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
-     * @preconditions (pEncryptedPart <> null)
-     * @postconditions (result <> null)
+     * @preconditions
+     * @postconditions
      */
-    public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen,
-            byte[] out, int outOfs, int outLen) throws PKCS11Exception;
+    public native int C_Decrypt(long hSession, long directIn, byte[] in,
+            int inOfs, int inLen, long directOut, byte[] out, int outOfs,
+            int outLen) throws PKCS11Exception;
 
 
     /**
@@ -826,14 +858,20 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @param pEncryptedPart the encrypted data part to get decrypted and the
-     *         encrypted data part's length
-     *         (PKCS#11 param: CK_BYTE_PTR pEncryptedPart,
-     *                         CK_ULONG ulEncryptedPartLen)
-     * @return the decrypted data part and the data part's length
+     * @param directIn the address of the to-be-decrypted data
+     * @param in buffer containing the to-be-decrypted data
+     * @param inOfs buffer offset of the to-be-decrypted data
+     * @param inLen length of the to-be-decrypted data
+     *         (PKCS#11 param: CK_BYTE_PTR pDecryptedPart,
+     *                         CK_ULONG ulDecryptedPartLen)
+     * @param directOut the address for the decrypted data
+     * @param out buffer for the decrypted data
+     * @param outOfs buffer offset for the decrypted data
+     * @param outLen buffer size for the decrypted data
+     * @return the length of decrypted data for this update
      *         (PKCS#11 param: CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
-     * @preconditions (pEncryptedPart <> null)
+     * @preconditions
      * @postconditions
      */
     public native int C_DecryptUpdate(long hSession, long directIn, byte[] in,
@@ -848,12 +886,16 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
-     * @return the last decrypted data part and the last data part's length
+     * @param directOut the address for the decrypted data
+     * @param out buffer for the decrypted data
+     * @param outOfs buffer offset for the decrypted data
+     * @param outLen buffer size for the decrypted data
+     * @return the length of this last part of decrypted data
      *         (PKCS#11 param: CK_BYTE_PTR pLastPart,
      *                         CK_ULONG_PTR pulLastPartLen)
      * @exception PKCS11Exception If function returns other value than CKR_OK.
      * @preconditions
-     * @postconditions (result <> null)
+     * @postconditions
      */
     public native int C_DecryptFinal(long hSession, long directOut, byte[] out,
             int outOfs, int outLen) throws PKCS11Exception;
@@ -1027,6 +1069,7 @@
      *
      * @param hSession the session's handle
      *         (PKCS#11 param: CK_SESSION_HANDLE hSession)
+     * @param expectedLen expected signature length, can be 0 if unknown
      * @return the signature and the signature's length
      *         (PKCS#11 param: CK_BYTE_PTR pSignature,
      *                         CK_ULONG_PTR pulSignatureLen)
@@ -1285,7 +1328,6 @@
 //            byte[] pEncryptedPart) throws PKCS11Exception;
 
 
-
 /* *****************************************************************************
  * Key management
  ******************************************************************************/
@@ -1692,10 +1734,11 @@
         super.C_EncryptInit(hSession, pMechanism, hKey);
     }
 
-    public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs,
-            int inLen, byte[] out, int outOfs, int outLen)
+    public synchronized int C_Encrypt(long hSession, long directIn, byte[] in,
+            int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen)
             throws PKCS11Exception {
-        return super.C_Encrypt(hSession, in, inOfs, inLen, out, outOfs, outLen);
+        return super.C_Encrypt(hSession, directIn, in, inOfs, inLen,
+                directOut, out, outOfs, outLen);
     }
 
     public synchronized int C_EncryptUpdate(long hSession, long directIn,
@@ -1715,10 +1758,11 @@
         super.C_DecryptInit(hSession, pMechanism, hKey);
     }
 
-    public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs,
-            int inLen, byte[] out, int outOfs, int outLen)
-            throws PKCS11Exception {
-        return super.C_Decrypt(hSession, in, inOfs, inLen, out, outOfs, outLen);
+    public synchronized int C_Decrypt(long hSession, long directIn,
+            byte[] in, int inOfs, int inLen, long directOut, byte[] out,
+            int outOfs, int outLen) throws PKCS11Exception {
+        return super.C_Decrypt(hSession, directIn, in, inOfs, inLen,
+                directOut, out, outOfs, outLen);
     }
 
     public synchronized int C_DecryptUpdate(long hSession, long directIn,
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -144,98 +144,46 @@
     /* normal user's PIN is set */
     public static final long  CKF_USER_PIN_INITIALIZED    = 0x00000008L;
 
-    /* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
-     * that means that *every* time the state of cryptographic
-     * operations of a session is successfully saved, all keys
-     * needed to continue those operations are stored in the state */
     public static final long  CKF_RESTORE_KEY_NOT_NEEDED  = 0x00000020L;
 
-    /* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
-     * that the token has some sort of clock.  The time on that
-     * clock is returned in the token info structure */
     public static final long  CKF_CLOCK_ON_TOKEN          = 0x00000040L;
 
-    /* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
-     * set, that means that there is some way for the user to login
-     * without sending a PIN through the Cryptoki library itself */
     public static final long  CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100L;
 
-    /* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
-     * that means that a single session with the token can perform
-     * dual simultaneous cryptographic operations (digest and
-     * encrypt; decrypt and digest; sign and encrypt; and decrypt
-     * and sign) */
     public static final long  CKF_DUAL_CRYPTO_OPERATIONS  = 0x00000200L;
 
-    /* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
-     * token has been initialized using C_InitializeToken or an
-     * equivalent mechanism outside the scope of PKCS #11.
-     * Calling C_InitializeToken when this flag is set will cause
-     * the token to be reinitialized. */
     public static final long  CKF_TOKEN_INITIALIZED       = 0x00000400L;
 
-    /* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
-     * true, the token supports secondary authentication for
-     * private key objects. */
     public static final long  CKF_SECONDARY_AUTHENTICATION  = 0x00000800L;
 
-    /* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
-     * incorrect user login PIN has been entered at least once
-     * since the last successful authentication. */
     public static final long  CKF_USER_PIN_COUNT_LOW       = 0x00010000L;
 
-    /* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
-     * supplying an incorrect user PIN will it to become locked. */
     public static final long  CKF_USER_PIN_FINAL_TRY       = 0x00020000L;
 
-    /* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
-     * user PIN has been locked. User login to the token is not
-     * possible. */
     public static final long  CKF_USER_PIN_LOCKED          = 0x00040000L;
 
-    /* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-     * the user PIN value is the default value set by token
-     * initialization or manufacturing. */
     public static final long  CKF_USER_PIN_TO_BE_CHANGED   = 0x00080000L;
 
-    /* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
-     * incorrect SO login PIN has been entered at least once since
-     * the last successful authentication. */
     public static final long  CKF_SO_PIN_COUNT_LOW         = 0x00100000L;
 
-    /* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
-     * supplying an incorrect SO PIN will it to become locked. */
     public static final long  CKF_SO_PIN_FINAL_TRY         = 0x00200000L;
 
-    /* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
-     * PIN has been locked. SO login to the token is not possible.
-     */
     public static final long  CKF_SO_PIN_LOCKED            = 0x00400000L;
 
-    /* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-     * the SO PIN value is the default value set by token
-     * initialization or manufacturing. */
     public static final long  CKF_SO_PIN_TO_BE_CHANGED     = 0x00800000L;
 
-
-    /* CK_USER_TYPE enumerates the types of Cryptoki users */
-    /* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
-     * v2.0 */
     /* Security Officer */
     public static final long CKU_SO = 0L;
     /* Normal user */
     public static final long CKU_USER = 1L;
 
     /* CK_STATE enumerates the session states */
-    /* CK_STATE has been changed from an enum to a CK_ULONG for
-     * v2.0 */
     public static final long  CKS_RO_PUBLIC_SESSION = 0L;
     public static final long  CKS_RO_USER_FUNCTIONS = 1L;
     public static final long  CKS_RW_PUBLIC_SESSION = 2L;
     public static final long  CKS_RW_USER_FUNCTIONS = 3L;
     public static final long  CKS_RW_SO_FUNCTIONS   = 4L;
 
-
     /* The flags are defined in the following table:
      *      Bit Flag                Mask        Meaning
      */
@@ -246,8 +194,6 @@
 
 
     /* The following classes of objects are defined: */
-    /* CKO_HW_FEATURE is new for v2.10 */
-    /* CKO_DOMAIN_PARAMETERS is new for v2.11 */
     public static final long  CKO_DATA              = 0x00000000L;
     public static final long  CKO_CERTIFICATE       = 0x00000001L;
     public static final long  CKO_PUBLIC_KEY        = 0x00000002L;
@@ -267,62 +213,73 @@
     public static final long  CKH_VENDOR_DEFINED    = 0x80000000L;
 
     /* the following key types are defined: */
-    public static final long  CKK_RSA             = 0x00000000L;
-    public static final long  CKK_DSA             = 0x00000001L;
-    public static final long  CKK_DH              = 0x00000002L;
+    public static final long  CKK_RSA                  = 0x00000000L;
+    public static final long  CKK_DSA                  = 0x00000001L;
+    public static final long  CKK_DH                   = 0x00000002L;
+    public static final long  CKK_ECDSA /*deprecated*/ = 0x00000003L;
+    public static final long  CKK_EC                   = 0x00000003L;
+    public static final long  CKK_X9_42_DH             = 0x00000004L;
+    public static final long  CKK_KEA                  = 0x00000005L;
+    public static final long  CKK_GENERIC_SECRET       = 0x00000010L;
+    public static final long  CKK_RC2                  = 0x00000011L;
+    public static final long  CKK_RC4                  = 0x00000012L;
+    public static final long  CKK_DES                  = 0x00000013L;
+    public static final long  CKK_DES2                 = 0x00000014L;
+    public static final long  CKK_DES3                 = 0x00000015L;
 
-    /* CKK_ECDSA and CKK_KEA are new for v2.0 */
-    /* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-    public static final long  CKK_ECDSA           = 0x00000003L;
-    public static final long  CKK_EC              = 0x00000003L;
-    public static final long  CKK_X9_42_DH        = 0x00000004L;
-    public static final long  CKK_KEA             = 0x00000005L;
+    public static final long  CKK_CAST                 = 0x00000016L;
+    public static final long  CKK_CAST3                = 0x00000017L;
+    public static final long  CKK_CAST5 /*deprecated*/ = 0x00000018L;
+    public static final long  CKK_CAST128              = 0x00000018L;
+    public static final long  CKK_RC5                  = 0x00000019L;
+    public static final long  CKK_IDEA                 = 0x0000001AL;
+    public static final long  CKK_SKIPJACK             = 0x0000001BL;
+    public static final long  CKK_BATON                = 0x0000001CL;
+    public static final long  CKK_JUNIPER              = 0x0000001DL;
+    public static final long  CKK_CDMF                 = 0x0000001EL;
+    public static final long  CKK_AES                  = 0x0000001FL;
+    public static final long  CKK_BLOWFISH             = 0x00000020L;
+    public static final long  CKK_TWOFISH              = 0x00000021L;
+    public static final long  CKK_SECURID              = 0x00000022L;
+    public static final long  CKK_HOTP                 = 0x00000023L;
+    public static final long  CKK_ACTI                 = 0x00000024L;
+    public static final long  CKK_CAMELLIA             = 0x00000025L;
+    public static final long  CKK_ARIA                 = 0x00000026L;
 
-    public static final long  CKK_GENERIC_SECRET  = 0x00000010L;
-    public static final long  CKK_RC2             = 0x00000011L;
-    public static final long  CKK_RC4             = 0x00000012L;
-    public static final long  CKK_DES             = 0x00000013L;
-    public static final long  CKK_DES2            = 0x00000014L;
-    public static final long  CKK_DES3            = 0x00000015L;
+    public static final long  CKK_MD5_HMAC             = 0x00000027L;
+    public static final long  CKK_SHA_1_HMAC           = 0x00000028L;
+    public static final long  CKK_RIPEMD128_HMAC       = 0x00000029L;
+    public static final long  CKK_RIPEMD160_HMAC       = 0x0000002AL;
+    public static final long  CKK_SHA256_HMAC          = 0x0000002BL;
+    public static final long  CKK_SHA384_HMAC          = 0x0000002CL;
+    public static final long  CKK_SHA512_HMAC          = 0x0000002DL;
+    public static final long  CKK_SHA224_HMAC          = 0x0000002EL;
 
-    /* all these key types are new for v2.0 */
-    public static final long  CKK_CAST            = 0x00000016L;
-    public static final long  CKK_CAST3           = 0x00000017L;
-    /* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-    public static final long  CKK_CAST5           = 0x00000018L;
-    /* CAST128=CAST5 */
-    public static final long  CKK_CAST128         = 0x00000018L;
-    public static final long  CKK_RC5             = 0x00000019L;
-    public static final long  CKK_IDEA            = 0x0000001AL;
-    public static final long  CKK_SKIPJACK        = 0x0000001BL;
-    public static final long  CKK_BATON           = 0x0000001CL;
-    public static final long  CKK_JUNIPER         = 0x0000001DL;
-    public static final long  CKK_CDMF            = 0x0000001EL;
-    public static final long  CKK_AES             = 0x0000001FL;
-    // v2.20
-    public static final long  CKK_BLOWFISH        = 0x00000020L;
-
-    public static final long  CKK_VENDOR_DEFINED  = 0x80000000L;
-
-    // new for v2.20 amendment 3
-    //public static final long  CKK_CAMELLIA          = 0x00000025L;
-    //public static final long  CKK_ARIA              = 0x00000026L;
+    public static final long  CKK_SEED                 = 0x0000002FL;
+    public static final long  CKK_GOSTR3410            = 0x00000030L;
+    public static final long  CKK_GOSTR3411            = 0x00000031L;
+    public static final long  CKK_GOST28147            = 0x00000032L;
+;
+    public static final long  CKK_VENDOR_DEFINED       = 0x80000000L;
 
     // pseudo key type ANY (for template manager)
-    public static final long  PCKK_ANY            = 0x7FFFFF22L;
+    public static final long  PCKK_ANY                 = 0x7FFFFF22L;
 
-    public static final long  PCKK_HMAC            = 0x7FFFFF23L;
-    public static final long  PCKK_SSLMAC          = 0x7FFFFF24L;
-    public static final long  PCKK_TLSPREMASTER    = 0x7FFFFF25L;
-    public static final long  PCKK_TLSRSAPREMASTER = 0x7FFFFF26L;
-    public static final long  PCKK_TLSMASTER       = 0x7FFFFF27L;
+    public static final long  PCKK_HMAC                = 0x7FFFFF23L;
+    public static final long  PCKK_SSLMAC              = 0x7FFFFF24L;
+    public static final long  PCKK_TLSPREMASTER        = 0x7FFFFF25L;
+    public static final long  PCKK_TLSRSAPREMASTER     = 0x7FFFFF26L;
+    public static final long  PCKK_TLSMASTER           = 0x7FFFFF27L;
 
     /* The following certificate types are defined: */
-    /* CKC_X_509_ATTR_CERT is new for v2.10 */
-    public static final long  CKC_X_509           = 0x00000000L;
-    public static final long  CKC_X_509_ATTR_CERT = 0x00000001L;
-    public static final long  CKC_VENDOR_DEFINED  = 0x80000000L;
+    public static final long  CKC_X_509                = 0x00000000L;
+    public static final long  CKC_X_509_ATTR_CERT      = 0x00000001L;
+    public static final long  CKC_VENDOR_DEFINED       = 0x80000000L;
 
+    /* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+     * consists of an array of values.
+     */
+    public static final long  CKF_ARRAY_ATTRIBUTE      = 0x40000000L;
 
     /* The following attribute types are defined: */
     public static final long  CKA_CLASS              = 0x00000000L;
@@ -331,22 +288,26 @@
     public static final long  CKA_LABEL              = 0x00000003L;
     public static final long  CKA_APPLICATION        = 0x00000010L;
     public static final long  CKA_VALUE              = 0x00000011L;
-
-    /* CKA_OBJECT_ID is new for v2.10 */
     public static final long  CKA_OBJECT_ID          = 0x00000012L;
-
     public static final long  CKA_CERTIFICATE_TYPE   = 0x00000080L;
     public static final long  CKA_ISSUER             = 0x00000081L;
     public static final long  CKA_SERIAL_NUMBER      = 0x00000082L;
-
-    /* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new L;
-     * for v2.10 */
     public static final long  CKA_AC_ISSUER          = 0x00000083L;
     public static final long  CKA_OWNER              = 0x00000084L;
     public static final long  CKA_ATTR_TYPES         = 0x00000085L;
-
-    /* CKA_TRUSTED is new for v2.11 */
     public static final long  CKA_TRUSTED            = 0x00000086L;
+    public static final long  CKA_CERTIFICATE_CATEGORY
+                                                     = 0x00000087L;
+    public static final long  CKA_JAVA_MIDP_SECURITY_DOMAIN
+                                                     = 0x00000088L;
+    public static final long  CKA_URL                = 0x00000089L;
+    public static final long  CKA_HASH_OF_SUBJECT_PUBLIC_KEY
+                                                     = 0x0000008AL;
+    public static final long  CKA_HASH_OF_ISSUER_PUBLIC_KEY
+                                                     = 0x0000008BL;
+    public static final long  CKA_NAME_HASH_ALGORITHM
+                                                     = 0x0000008CL;
+    public static final long  CKA_CHECK_VALUE        = 0x00000090L;
 
     public static final long  CKA_KEY_TYPE           = 0x00000100L;
     public static final long  CKA_SUBJECT            = 0x00000101L;
@@ -372,45 +333,79 @@
     public static final long  CKA_EXPONENT_1         = 0x00000126L;
     public static final long  CKA_EXPONENT_2         = 0x00000127L;
     public static final long  CKA_COEFFICIENT        = 0x00000128L;
+    public static final long  CKA_PUBLIC_KEY_INFO    = 0x00000129L;
     public static final long  CKA_PRIME              = 0x00000130L;
     public static final long  CKA_SUBPRIME           = 0x00000131L;
     public static final long  CKA_BASE               = 0x00000132L;
 
-    /* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
     public static final long  CKA_PRIME_BITS         = 0x00000133L;
     public static final long  CKA_SUB_PRIME_BITS     = 0x00000134L;
 
     public static final long  CKA_VALUE_BITS         = 0x00000160L;
     public static final long  CKA_VALUE_LEN          = 0x00000161L;
 
-    /* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
-     * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
-     * and CKA_EC_POINT are new for v2.0 */
     public static final long  CKA_EXTRACTABLE        = 0x00000162L;
     public static final long  CKA_LOCAL              = 0x00000163L;
     public static final long  CKA_NEVER_EXTRACTABLE  = 0x00000164L;
     public static final long  CKA_ALWAYS_SENSITIVE   = 0x00000165L;
 
-    /* CKA_KEY_GEN_MECHANISM is new for v2.11 */
     public static final long  CKA_KEY_GEN_MECHANISM  = 0x00000166L;
 
     public static final long  CKA_MODIFIABLE         = 0x00000170L;
+    public static final long  CKA_COPYABLE           = 0x00000171L;
+    public static final long  CKA_DESTROYABLE        = 0x00000172L;
 
-    /* CKA_ECDSA_PARAMS is deprecated in v2.11,
-     * CKA_EC_PARAMS is preferred. */
-    public static final long  CKA_ECDSA_PARAMS       = 0x00000180L;
-    public static final long  CKA_EC_PARAMS          = 0x00000180L;
-    public static final long  CKA_EC_POINT           = 0x00000181L;
+    public static final long  CKA_ECDSA_PARAMS /*deprecated*/  = 0x00000180L;
+    public static final long  CKA_EC_PARAMS                    = 0x00000180L;
+    public static final long  CKA_EC_POINT                     = 0x00000181L;
 
-    /* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
-     * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
-     * are new for v2.10 */
-    public static final long  CKA_SECONDARY_AUTH     = 0x00000200L;
-    public static final long  CKA_AUTH_PIN_FLAGS     = 0x00000201L;
+    public static final long  CKA_SECONDARY_AUTH /*deprecated*/= 0x00000200L;
+    public static final long  CKA_AUTH_PIN_FLAGS /*deprecated*/= 0x00000201L;
+    public static final long  CKA_ALWAYS_AUTHENTICATE          = 0x00000202L;
+    public static final long  CKA_WRAP_WITH_TRUSTED  = 0x00000210L;
+    public static final long  CKA_WRAP_TEMPLATE      = (CKF_ARRAY_ATTRIBUTE|0x00000211L);
+    public static final long  CKA_UNWRAP_TEMPLATE    = (CKF_ARRAY_ATTRIBUTE|0x00000212L);
+    public static final long  CKA_DERIVE_TEMPLATE    = (CKF_ARRAY_ATTRIBUTE|0x00000213L);
+
+    public static final long  CKA_OTP_FORMAT         = 0x00000220L;
+    public static final long  CKA_OTP_LENGTH         = 0x00000221L;
+    public static final long  CKA_OTP_TIME_INTERVAL  = 0x00000222L;
+    public static final long  CKA_OTP_USER_FRIENDLY_MODE       = 0x00000223L;
+    public static final long  CKA_OTP_CHALLENGE_REQUIREMENT    = 0x00000224L;
+    public static final long  CKA_OTP_TIME_REQUIREMENT         = 0x00000225L;
+    public static final long  CKA_OTP_COUNTER_REQUIREMENT      = 0x00000226L;
+    public static final long  CKA_OTP_PIN_REQUIREMENT          = 0x00000227L;
+    public static final long  CKA_OTP_COUNTER        = 0x0000022EL;
+    public static final long  CKA_OTP_TIME           = 0x0000022FL;
+    public static final long  CKA_OTP_USER_IDENTIFIER          = 0x0000022AL;
+    public static final long  CKA_OTP_SERVICE_IDENTIFIER       = 0x0000022BL;
+    public static final long  CKA_OTP_SERVICE_LOGO   = 0x0000022CL;
+    public static final long  CKA_OTP_SERVICE_LOGO_TYPE        = 0x0000022DL;
+
+    public static final long  CKA_GOSTR3410_PARAMS   = 0x00000250L;
+    public static final long  CKA_GOSTR3411_PARAMS   = 0x00000251L;
+    public static final long  CKA_GOST28147_PARAMS   = 0x00000252L;
+
     public static final long  CKA_HW_FEATURE_TYPE    = 0x00000300L;
     public static final long  CKA_RESET_ON_INIT      = 0x00000301L;
     public static final long  CKA_HAS_RESET          = 0x00000302L;
 
+    public static final long  CKA_PIXEL_X            = 0x00000400L;
+    public static final long  CKA_PIXEL_Y            = 0x00000401L;
+    public static final long  CKA_RESOLUTION         = 0x00000402L;
+    public static final long  CKA_CHAR_ROWS          = 0x00000403L;
+    public static final long  CKA_CHAR_COLUMNS       = 0x00000404L;
+    public static final long  CKA_COLOR              = 0x00000405L;
+    public static final long  CKA_BITS_PER_PIXEL     = 0x00000406L;
+    public static final long  CKA_CHAR_SETS          = 0x00000480L;
+    public static final long  CKA_ENCODING_METHODS   = 0x00000481L;
+    public static final long  CKA_MIME_TYPES         = 0x00000482L;
+    public static final long  CKA_MECHANISM_TYPE     = 0x00000500L;
+    public static final long  CKA_REQUIRED_CMS_ATTRIBUTES      = 0x00000501L;
+    public static final long  CKA_DEFAULT_CMS_ATTRIBUTES       = 0x00000502L;
+    public static final long  CKA_SUPPORTED_CMS_ATTRIBUTES     = 0x00000503L;
+    public static final long  CKA_ALLOWED_MECHANISMS = (CKF_ARRAY_ATTRIBUTE|0x00000600L);
+
     public static final long  CKA_VENDOR_DEFINED     = 0x80000000L;
 
     /* the following mechanism types are defined: */
@@ -419,20 +414,14 @@
     public static final long  CKM_RSA_9796                   = 0x00000002L;
     public static final long  CKM_RSA_X_509                  = 0x00000003L;
 
-    /* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
-     * are new for v2.0.  They are mechanisms which hash and sign */
     public static final long  CKM_MD2_RSA_PKCS               = 0x00000004L;
     public static final long  CKM_MD5_RSA_PKCS               = 0x00000005L;
     public static final long  CKM_SHA1_RSA_PKCS              = 0x00000006L;
 
-    /* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
-     * CKM_RSA_PKCS_OAEP are new for v2.10 */
     public static final long  CKM_RIPEMD128_RSA_PKCS         = 0x00000007L;
     public static final long  CKM_RIPEMD160_RSA_PKCS         = 0x00000008L;
     public static final long  CKM_RSA_PKCS_OAEP              = 0x00000009L;
 
-    /* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
-     * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
     public static final long  CKM_RSA_X9_31_KEY_PAIR_GEN     = 0x0000000AL;
     public static final long  CKM_RSA_X9_31                  = 0x0000000BL;
     public static final long  CKM_SHA1_RSA_X9_31             = 0x0000000CL;
@@ -442,28 +431,48 @@
     public static final long  CKM_DSA_KEY_PAIR_GEN           = 0x00000010L;
     public static final long  CKM_DSA                        = 0x00000011L;
     public static final long  CKM_DSA_SHA1                   = 0x00000012L;
+    public static final long  CKM_DSA_SHA224                 = 0x00000013L;
+    public static final long  CKM_DSA_SHA256                 = 0x00000014L;
+    public static final long  CKM_DSA_SHA384                 = 0x00000015L;
+    public static final long  CKM_DSA_SHA512                 = 0x00000016L;
+
     public static final long  CKM_DH_PKCS_KEY_PAIR_GEN       = 0x00000020L;
     public static final long  CKM_DH_PKCS_DERIVE             = 0x00000021L;
 
-    /* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
-     * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
-     * v2.11 */
     public static final long  CKM_X9_42_DH_KEY_PAIR_GEN      = 0x00000030L;
     public static final long  CKM_X9_42_DH_DERIVE            = 0x00000031L;
     public static final long  CKM_X9_42_DH_HYBRID_DERIVE     = 0x00000032L;
     public static final long  CKM_X9_42_MQV_DERIVE           = 0x00000033L;
 
-    // v2.20
     public static final long  CKM_SHA256_RSA_PKCS            = 0x00000040L;
     public static final long  CKM_SHA384_RSA_PKCS            = 0x00000041L;
     public static final long  CKM_SHA512_RSA_PKCS            = 0x00000042L;
+    public static final long  CKM_SHA256_RSA_PKCS_PSS        = 0x00000043L;
+    public static final long  CKM_SHA384_RSA_PKCS_PSS        = 0x00000044L;
+    public static final long  CKM_SHA512_RSA_PKCS_PSS        = 0x00000045L;
+
+    public static final long  CKM_SHA224_RSA_PKCS            = 0x00000046L;
+    public static final long  CKM_SHA224_RSA_PKCS_PSS        = 0x00000047L;
+
+    public static final long  CKM_SHA512_224                 = 0x00000048L;
+    public static final long  CKM_SHA512_224_HMAC            = 0x00000049L;
+    public static final long  CKM_SHA512_224_HMAC_GENERAL    = 0x0000004AL;
+    public static final long  CKM_SHA512_224_KEY_DERIVATION  = 0x0000004BL;
+    public static final long  CKM_SHA512_256                 = 0x0000004CL;
+    public static final long  CKM_SHA512_256_HMAC            = 0x0000004DL;
+    public static final long  CKM_SHA512_256_HMAC_GENERAL    = 0x0000004EL;
+    public static final long  CKM_SHA512_256_KEY_DERIVATION  = 0x0000004FL;
+
+    public static final long  CKM_SHA512_T                   = 0x00000050L;
+    public static final long  CKM_SHA512_T_HMAC              = 0x00000051L;
+    public static final long  CKM_SHA512_T_HMAC_GENERAL      = 0x00000052L;
+    public static final long  CKM_SHA512_T_KEY_DERIVATION    = 0x00000053L;
 
     public static final long  CKM_RC2_KEY_GEN                = 0x00000100L;
     public static final long  CKM_RC2_ECB                    = 0x00000101L;
     public static final long  CKM_RC2_CBC                    = 0x00000102L;
     public static final long  CKM_RC2_MAC                    = 0x00000103L;
 
-    /* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
     public static final long  CKM_RC2_MAC_GENERAL            = 0x00000104L;
     public static final long  CKM_RC2_CBC_PAD                = 0x00000105L;
 
@@ -474,7 +483,6 @@
     public static final long  CKM_DES_CBC                    = 0x00000122L;
     public static final long  CKM_DES_MAC                    = 0x00000123L;
 
-    /* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
     public static final long  CKM_DES_MAC_GENERAL            = 0x00000124L;
     public static final long  CKM_DES_CBC_PAD                = 0x00000125L;
 
@@ -484,11 +492,10 @@
     public static final long  CKM_DES3_CBC                   = 0x00000133L;
     public static final long  CKM_DES3_MAC                   = 0x00000134L;
 
-    /* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
-     * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
-     * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
     public static final long  CKM_DES3_MAC_GENERAL           = 0x00000135L;
     public static final long  CKM_DES3_CBC_PAD               = 0x00000136L;
+    public static final long  CKM_DES3_CMAC_GENERAL          = 0x00000137L;
+    public static final long  CKM_DES3_CMAC                  = 0x00000138L;
     public static final long  CKM_CDMF_KEY_GEN               = 0x00000140L;
     public static final long  CKM_CDMF_ECB                   = 0x00000141L;
     public static final long  CKM_CDMF_CBC                   = 0x00000142L;
@@ -496,27 +503,26 @@
     public static final long  CKM_CDMF_MAC_GENERAL           = 0x00000144L;
     public static final long  CKM_CDMF_CBC_PAD               = 0x00000145L;
 
+    public static final long  CKM_DES_OFB64                  = 0x00000150L;
+    public static final long  CKM_DES_OFB8                   = 0x00000151L;
+    public static final long  CKM_DES_CFB64                  = 0x00000152L;
+    public static final long  CKM_DES_CFB8                   = 0x00000153L;
+
     public static final long  CKM_MD2                        = 0x00000200L;
 
-    /* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
     public static final long  CKM_MD2_HMAC                   = 0x00000201L;
     public static final long  CKM_MD2_HMAC_GENERAL           = 0x00000202L;
 
     public static final long  CKM_MD5                        = 0x00000210L;
 
-    /* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
     public static final long  CKM_MD5_HMAC                   = 0x00000211L;
     public static final long  CKM_MD5_HMAC_GENERAL           = 0x00000212L;
 
     public static final long  CKM_SHA_1                      = 0x00000220L;
 
-    /* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
     public static final long  CKM_SHA_1_HMAC                 = 0x00000221L;
     public static final long  CKM_SHA_1_HMAC_GENERAL         = 0x00000222L;
 
-    /* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
-     * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
-     * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
     public static final long  CKM_RIPEMD128                  = 0x00000230L;
     public static final long  CKM_RIPEMD128_HMAC             = 0x00000231L;
     public static final long  CKM_RIPEMD128_HMAC_GENERAL     = 0x00000232L;
@@ -524,11 +530,12 @@
     public static final long  CKM_RIPEMD160_HMAC             = 0x00000241L;
     public static final long  CKM_RIPEMD160_HMAC_GENERAL     = 0x00000242L;
 
-    // v2.20
     public static final long  CKM_SHA256                     = 0x00000250L;
     public static final long  CKM_SHA256_HMAC                = 0x00000251L;
     public static final long  CKM_SHA256_HMAC_GENERAL        = 0x00000252L;
-
+    public static final long  CKM_SHA224                     = 0x00000255L;
+    public static final long  CKM_SHA224_HMAC                = 0x00000256L;
+    public static final long  CKM_SHA224_HMAC_GENERAL        = 0x00000257L;
     public static final long  CKM_SHA384                     = 0x00000260L;
     public static final long  CKM_SHA384_HMAC                = 0x00000261L;
     public static final long  CKM_SHA384_HMAC_GENERAL        = 0x00000262L;
@@ -537,8 +544,13 @@
     public static final long  CKM_SHA512_HMAC                = 0x00000271L;
     public static final long  CKM_SHA512_HMAC_GENERAL        = 0x00000272L;
 
-    /* All of the following mechanisms are new for v2.0 */
-    /* Note that CAST128 and CAST5 are the same algorithm */
+    public static final long  CKM_SECURID_KEY_GEN            = 0x00000280L;
+    public static final long  CKM_SECURID                    = 0x00000282L;
+    public static final long  CKM_HOTP_KEY_GEN               = 0x00000290L;
+    public static final long  CKM_HOTP                       = 0x00000291L;
+    public static final long  CKM_ACTI                       = 0x000002A0L;
+    public static final long  CKM_ACTI_KEY_GEN               = 0x000002A1L;
+
     public static final long  CKM_CAST_KEY_GEN               = 0x00000300L;
     public static final long  CKM_CAST_ECB                   = 0x00000301L;
     public static final long  CKM_CAST_CBC                   = 0x00000302L;
@@ -551,18 +563,20 @@
     public static final long  CKM_CAST3_MAC                  = 0x00000313L;
     public static final long  CKM_CAST3_MAC_GENERAL          = 0x00000314L;
     public static final long  CKM_CAST3_CBC_PAD              = 0x00000315L;
-    public static final long  CKM_CAST5_KEY_GEN              = 0x00000320L;
-    public static final long  CKM_CAST128_KEY_GEN            = 0x00000320L;
-    public static final long  CKM_CAST5_ECB                  = 0x00000321L;
-    public static final long  CKM_CAST128_ECB                = 0x00000321L;
-    public static final long  CKM_CAST5_CBC                  = 0x00000322L;
-    public static final long  CKM_CAST128_CBC                = 0x00000322L;
-    public static final long  CKM_CAST5_MAC                  = 0x00000323L;
-    public static final long  CKM_CAST128_MAC                = 0x00000323L;
-    public static final long  CKM_CAST5_MAC_GENERAL          = 0x00000324L;
-    public static final long  CKM_CAST128_MAC_GENERAL        = 0x00000324L;
-    public static final long  CKM_CAST5_CBC_PAD              = 0x00000325L;
-    public static final long  CKM_CAST128_CBC_PAD            = 0x00000325L;
+    /* Note that CAST128 and CAST5 are the same algorithm */
+    public static final long  CKM_CAST5_KEY_GEN                = 0x00000320L;
+    public static final long  CKM_CAST128_KEY_GEN              = 0x00000320L;
+    public static final long  CKM_CAST5_ECB                    = 0x00000321L;
+    public static final long  CKM_CAST128_ECB                  = 0x00000321L;
+    public static final long  CKM_CAST5_CBC /*deprecated*/     = 0x00000322L;
+    public static final long  CKM_CAST128_CBC                  = 0x00000322L;
+    public static final long  CKM_CAST5_MAC /*deprecated*/     = 0x00000323L;
+    public static final long  CKM_CAST128_MAC                  = 0x00000323L;
+    public static final long  CKM_CAST5_MAC_GENERAL /*deprecated*/
+                                                               = 0x00000324L;
+    public static final long  CKM_CAST128_MAC_GENERAL          = 0x00000324L;
+    public static final long  CKM_CAST5_CBC_PAD /*deprecated*/ = 0x00000325L;
+    public static final long  CKM_CAST128_CBC_PAD              = 0x00000325L;
     public static final long  CKM_RC5_KEY_GEN                = 0x00000330L;
     public static final long  CKM_RC5_ECB                    = 0x00000331L;
     public static final long  CKM_RC5_CBC                    = 0x00000332L;
@@ -585,9 +599,6 @@
     public static final long  CKM_SSL3_MASTER_KEY_DERIVE     = 0x00000371L;
     public static final long  CKM_SSL3_KEY_AND_MAC_DERIVE    = 0x00000372L;
 
-    /* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
-     * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
-     * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
     public static final long  CKM_SSL3_MASTER_KEY_DERIVE_DH  = 0x00000373L;
     public static final long  CKM_TLS_PRE_MASTER_KEY_GEN     = 0x00000374L;
     public static final long  CKM_TLS_MASTER_KEY_DERIVE      = 0x00000375L;
@@ -601,10 +612,10 @@
     public static final long  CKM_MD2_KEY_DERIVATION         = 0x00000391L;
     public static final long  CKM_SHA1_KEY_DERIVATION        = 0x00000392L;
 
-    // v2.20
     public static final long  CKM_SHA256_KEY_DERIVATION      = 0x00000393L;
     public static final long  CKM_SHA384_KEY_DERIVATION      = 0x00000394L;
     public static final long  CKM_SHA512_KEY_DERIVATION      = 0x00000395L;
+    public static final long  CKM_SHA224_KEY_DERIVATION      = 0x00000396L;
 
     public static final long  CKM_PBE_MD2_DES_CBC            = 0x000003A0L;
     public static final long  CKM_PBE_MD5_DES_CBC            = 0x000003A1L;
@@ -621,22 +632,65 @@
     public static final long  CKM_PBE_SHA1_RC2_128_CBC       = 0x000003AAL;
     public static final long  CKM_PBE_SHA1_RC2_40_CBC        = 0x000003ABL;
 
-    /* CKM_PKCS5_PBKD2 is new for v2.10 */
     public static final long  CKM_PKCS5_PBKD2                = 0x000003B0L;
 
     public static final long  CKM_PBA_SHA1_WITH_SHA1_HMAC    = 0x000003C0L;
 
-    /* CKM_TLS12_MASTER_KEY_DERIVE, CKM_TLS12_KEY_AND_MAC_DERIVE,
-     * CKM_TLS12_MASTER_KEY_DERIVE_DH and CKM_TLS_MAC are new for v2.40 */
+    public static final long  CKM_WTLS_PRE_MASTER_KEY_GEN         = 0x000003D0L;
+    public static final long  CKM_WTLS_MASTER_KEY_DERIVE          = 0x000003D1L;
+    public static final long  CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   = 0x000003D2L;
+    public static final long  CKM_WTLS_PRF                        = 0x000003D3L;
+    public static final long  CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  = 0x000003D4L;
+    public static final long  CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  = 0x000003D5L;
+
+    public static final long  CKM_TLS10_MAC_SERVER           = 0x000003D6L;
+    public static final long  CKM_TLS10_MAC_CLIENT           = 0x000003D7L;
+    public static final long  CKM_TLS12_MAC                  = 0x000003D8L;
+    public static final long  CKM_TLS12_KDF                  = 0x000003D9L;
+
     public static final long  CKM_TLS12_MASTER_KEY_DERIVE    = 0x000003E0L;
     public static final long  CKM_TLS12_KEY_AND_MAC_DERIVE   = 0x000003E1L;
     public static final long  CKM_TLS12_MASTER_KEY_DERIVE_DH = 0x000003E2L;
+    public static final long  CKM_TLS12_KEY_SAFE_DERIVE      = 0x000003E3L;
     public static final long  CKM_TLS_MAC                    = 0x000003E4L;
+    public static final long  CKM_TLS_KDF                    = 0x000003E5L;
 
     public static final long  CKM_KEY_WRAP_LYNKS             = 0x00000400L;
     public static final long  CKM_KEY_WRAP_SET_OAEP          = 0x00000401L;
 
-    /* Fortezza mechanisms */
+    public static final long  CKM_CMS_SIG                    = 0x00000500L;
+    public static final long  CKM_KIP_DERIVE                 = 0x00000510L;
+    public static final long  CKM_KIP_WRAP                   = 0x00000511L;
+    public static final long  CKM_KIP_MAC                    = 0x00000512L;
+
+    public static final long  CKM_CAMELLIA_KEY_GEN           = 0x00000550L;
+    public static final long  CKM_CAMELLIA_ECB               = 0x00000551L;
+    public static final long  CKM_CAMELLIA_CBC               = 0x00000552L;
+    public static final long  CKM_CAMELLIA_MAC               = 0x00000553L;
+    public static final long  CKM_CAMELLIA_MAC_GENERAL       = 0x00000554L;
+    public static final long  CKM_CAMELLIA_CBC_PAD           = 0x00000555L;
+    public static final long  CKM_CAMELLIA_ECB_ENCRYPT_DATA  = 0x00000556L;
+    public static final long  CKM_CAMELLIA_CBC_ENCRYPT_DATA  = 0x00000557L;
+    public static final long  CKM_CAMELLIA_CTR               = 0x00000558L;
+
+    public static final long  CKM_ARIA_KEY_GEN               = 0x00000560L;
+    public static final long  CKM_ARIA_ECB                   = 0x00000561L;
+    public static final long  CKM_ARIA_CBC                   = 0x00000562L;
+    public static final long  CKM_ARIA_MAC                   = 0x00000563L;
+    public static final long  CKM_ARIA_MAC_GENERAL           = 0x00000564L;
+    public static final long  CKM_ARIA_CBC_PAD               = 0x00000565L;
+    public static final long  CKM_ARIA_ECB_ENCRYPT_DATA      = 0x00000566L;
+    public static final long  CKM_ARIA_CBC_ENCRYPT_DATA      = 0x00000567L;
+
+    public static final long  CKM_SEED_KEY_GEN               = 0x00000650L;
+    public static final long  CKM_SEED_ECB                   = 0x00000651L;
+    public static final long  CKM_SEED_CBC                   = 0x00000652L;
+    public static final long  CKM_SEED_MAC                   = 0x00000653L;
+    public static final long  CKM_SEED_MAC_GENERAL           = 0x00000654L;
+    public static final long  CKM_SEED_CBC_PAD               = 0x00000655L;
+    public static final long  CKM_SEED_ECB_ENCRYPT_DATA      = 0x00000656L;
+    public static final long  CKM_SEED_CBC_ENCRYPT_DATA      = 0x00000657L;
+
     public static final long  CKM_SKIPJACK_KEY_GEN           = 0x00001000L;
     public static final long  CKM_SKIPJACK_ECB64             = 0x00001001L;
     public static final long  CKM_SKIPJACK_CBC64             = 0x00001002L;
@@ -650,6 +704,7 @@
     public static final long  CKM_SKIPJACK_RELAYX            = 0x0000100AL;
     public static final long  CKM_KEA_KEY_PAIR_GEN           = 0x00001010L;
     public static final long  CKM_KEA_KEY_DERIVE             = 0x00001011L;
+    public static final long  CKM_KEA_DERIVE                 = 0x00001012L;
     public static final long  CKM_FORTEZZA_TIMESTAMP         = 0x00001020L;
     public static final long  CKM_BATON_KEY_GEN              = 0x00001030L;
     public static final long  CKM_BATON_ECB128               = 0x00001031L;
@@ -659,20 +714,24 @@
     public static final long  CKM_BATON_SHUFFLE              = 0x00001035L;
     public static final long  CKM_BATON_WRAP                 = 0x00001036L;
 
-    /* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
-     * CKM_EC_KEY_PAIR_GEN is preferred */
-    public static final long  CKM_ECDSA_KEY_PAIR_GEN         = 0x00001040L;
+    public static final long  CKM_ECDSA_KEY_PAIR_GEN /*deprecated*/
+                                                             = 0x00001040L;
     public static final long  CKM_EC_KEY_PAIR_GEN            = 0x00001040L;
 
     public static final long  CKM_ECDSA                      = 0x00001041L;
     public static final long  CKM_ECDSA_SHA1                 = 0x00001042L;
+    public static final long  CKM_ECDSA_SHA224               = 0x00001043L;
+    public static final long  CKM_ECDSA_SHA256               = 0x00001044L;
+    public static final long  CKM_ECDSA_SHA384               = 0x00001045L;
+    public static final long  CKM_ECDSA_SHA512               = 0x00001046L;
 
-    /* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
-     * are new for v2.11 */
     public static final long  CKM_ECDH1_DERIVE               = 0x00001050L;
     public static final long  CKM_ECDH1_COFACTOR_DERIVE      = 0x00001051L;
     public static final long  CKM_ECMQV_DERIVE               = 0x00001052L;
 
+    public static final long  CKM_ECDH_AES_KEY_WRAP          = 0x00001053L;
+    public static final long  CKM_RSA_AES_KEY_WRAP           = 0x00001054L;
+
     public static final long  CKM_JUNIPER_KEY_GEN            = 0x00001060L;
     public static final long  CKM_JUNIPER_ECB128             = 0x00001061L;
     public static final long  CKM_JUNIPER_CBC128             = 0x00001062L;
@@ -681,70 +740,79 @@
     public static final long  CKM_JUNIPER_WRAP               = 0x00001065L;
     public static final long  CKM_FASTHASH                   = 0x00001070L;
 
-    /* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
-     * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
-     * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
-     * new for v2.11 */
     public static final long  CKM_AES_KEY_GEN                = 0x00001080L;
     public static final long  CKM_AES_ECB                    = 0x00001081L;
     public static final long  CKM_AES_CBC                    = 0x00001082L;
     public static final long  CKM_AES_MAC                    = 0x00001083L;
     public static final long  CKM_AES_MAC_GENERAL            = 0x00001084L;
     public static final long  CKM_AES_CBC_PAD                = 0x00001085L;
-    // v2.20
+    public static final long  CKM_AES_CTR                    = 0x00001086L;
+    public static final long  CKM_AES_GCM                    = 0x00001087L;
+    public static final long  CKM_AES_CCM                    = 0x00001088L;
+    public static final long  CKM_AES_CTS                    = 0x00001089L;
+    public static final long  CKM_AES_CMAC                   = 0x0000108AL;
+    public static final long  CKM_AES_CMAC_GENERAL           = 0x0000108BL;
+
+    public static final long  CKM_AES_XCBC_MAC               = 0x0000108CL;
+    public static final long  CKM_AES_XCBC_MAC_96            = 0x0000108DL;
+    public static final long  CKM_AES_GMAC                   = 0x0000108EL;
+
     public static final long  CKM_BLOWFISH_KEY_GEN           = 0x00001090L;
     public static final long  CKM_BLOWFISH_CBC               = 0x00001091L;
+    public static final long  CKM_TWOFISH_KEY_GEN            = 0x00001092L;
+    public static final long  CKM_TWOFISH_CBC                = 0x00001093L;
+    public static final long  CKM_BLOWFISH_CBC_PAD           = 0x00001094L;
+    public static final long  CKM_TWOFISH_CBC_PAD            = 0x00001095L;
+
+    public static final long  CKM_DES_ECB_ENCRYPT_DATA       = 0x00001100L;
+    public static final long  CKM_DES_CBC_ENCRYPT_DATA       = 0x00001101L;
+    public static final long  CKM_DES3_ECB_ENCRYPT_DATA      = 0x00001102L;
+    public static final long  CKM_DES3_CBC_ENCRYPT_DATA      = 0x00001103L;
+    public static final long  CKM_AES_ECB_ENCRYPT_DATA       = 0x00001104L;
+    public static final long  CKM_AES_CBC_ENCRYPT_DATA       = 0x00001105L;
+
+    public static final long  CKM_GOSTR3410_KEY_PAIR_GEN     = 0x00001200L;
+    public static final long  CKM_GOSTR3410                  = 0x00001201L;
+    public static final long  CKM_GOSTR3410_WITH_GOSTR3411   = 0x00001202L;
+    public static final long  CKM_GOSTR3410_KEY_WRAP         = 0x00001203L;
+    public static final long  CKM_GOSTR3410_DERIVE           = 0x00001204L;
+    public static final long  CKM_GOSTR3411                  = 0x00001210L;
+    public static final long  CKM_GOSTR3411_HMAC             = 0x00001211L;
+    public static final long  CKM_GOST28147_KEY_GEN          = 0x00001220L;
+    public static final long  CKM_GOST28147_ECB              = 0x00001221L;
+    public static final long  CKM_GOST28147                  = 0x00001222L;
+    public static final long  CKM_GOST28147_MAC              = 0x00001223L;
+    public static final long  CKM_GOST28147_KEY_WRAP         = 0x00001224L;
+
     public static final long  CKM_DSA_PARAMETER_GEN          = 0x00002000L;
     public static final long  CKM_DH_PKCS_PARAMETER_GEN      = 0x00002001L;
     public static final long  CKM_X9_42_DH_PARAMETER_GEN     = 0x00002002L;
+    public static final long  CKM_DSA_PROBABLISTIC_PARAMETER_GEN = 0x00002003L;
+    public static final long  CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN = 0x00002004L;
+
+    public static final long  CKM_AES_OFB                    = 0x00002104L;
+    public static final long  CKM_AES_CFB64                  = 0x00002105L;
+    public static final long  CKM_AES_CFB8                   = 0x00002106L;
+    public static final long  CKM_AES_CFB128                 = 0x00002107L;
+    public static final long  CKM_AES_CFB1                   = 0x00002108L;
+    public static final long  CKM_AES_KEY_WRAP               = 0x00002109L;
+    public static final long  CKM_AES_KEY_WRAP_PAD           = 0x0000210AL;
+
+    public static final long  CKM_RSA_PKCS_TPM_1_1           = 0x00004001L;
+    public static final long  CKM_RSA_PKCS_OAEP_TPM_1_1      = 0x00004002L;
 
     public static final long  CKM_VENDOR_DEFINED             = 0x80000000L;
 
-    // new for v2.20 amendment 3
-    public static final long  CKM_SHA224                     = 0x00000255L;
-    public static final long  CKM_SHA224_HMAC                = 0x00000256L;
-    public static final long  CKM_SHA224_HMAC_GENERAL        = 0x00000257L;
-    public static final long  CKM_SHA224_KEY_DERIVATION      = 0x00000396L;
-    public static final long  CKM_SHA224_RSA_PKCS            = 0x00000046L;
-    public static final long  CKM_SHA224_RSA_PKCS_PSS        = 0x00000047L;
-    public static final long  CKM_AES_CTR                    = 0x00001086L;
-    /*
-    public static final long  CKM_CAMELLIA_KEY_GEN           = 0x00000550L;
-    public static final long  CKM_CAMELLIA_ECB               = 0x00000551L;
-    public static final long  CKM_CAMELLIA_CBC               = 0x00000552L;
-    public static final long  CKM_CAMELLIA_MAC               = 0x00000553L;
-    public static final long  CKM_CAMELLIA_MAC_GENERAL       = 0x00000554L;
-    public static final long  CKM_CAMELLIA_CBC_PAD           = 0x00000555L;
-    public static final long  CKM_CAMELLIA_ECB_ENCRYPT_DATA  = 0x00000556L;
-    public static final long  CKM_CAMELLIA_CBC_ENCRYPT_DATA  = 0x00000557L;
-    public static final long  CKM_CAMELLIA_CTR               = 0x00000558L;
-    public static final long  CKM_ARIA_KEY_GEN               = 0x00000560L;
-    public static final long  CKM_ARIA_ECB                   = 0x00000561L;
-    public static final long  CKM_ARIA_CBC                   = 0x00000562L;
-    public static final long  CKM_ARIA_MAC                   = 0x00000563L;
-    public static final long  CKM_ARIA_MAC_GENERAL           = 0x00000564L;
-    public static final long  CKM_ARIA_CBC_PAD               = 0x00000565L;
-    public static final long  CKM_ARIA_ECB_ENCRYPT_DATA      = 0x00000566L;
-    public static final long  CKM_ARIA_CBC_ENCRYPT_DATA      = 0x00000567L;
-    */
-
     // NSS private
     public static final long  CKM_NSS_TLS_PRF_GENERAL        = 0x80000373L;
 
-    // ids for our pseudo mechanisms SecureRandom and KeyStore
+    // internal ids for our pseudo mechanisms SecureRandom and KeyStore
     public static final long  PCKM_SECURERANDOM              = 0x7FFFFF20L;
     public static final long  PCKM_KEYSTORE                  = 0x7FFFFF21L;
 
-    /* The flags are defined as follows:
-     *      Bit Flag               Mask        Meaning */
-    /* performed by HW */
+    /* The flags specify whether or not a mechanism can be used for a
+     * particular task */
     public static final long  CKF_HW                 = 0x00000001L;
-
-    /* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
-     * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
-     * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
-     * and CKF_DERIVE are new for v2.0.  They specify whether or not
-     * a mechanism can be used for a particular task */
     public static final long  CKF_ENCRYPT            = 0x00000100L;
     public static final long  CKF_DECRYPT            = 0x00000200L;
     public static final long  CKF_DIGEST             = 0x00000400L;
@@ -758,152 +826,141 @@
     public static final long  CKF_UNWRAP             = 0x00040000L;
     public static final long  CKF_DERIVE             = 0x00080000L;
 
-    /* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
-     * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
-     * describe a token's EC capabilities not available in mechanism
-     * information. */
-    public static final long  CKF_EC_F_P              = 0x00100000L;
-    public static final long  CKF_EC_F_2M           = 0x00200000L;
-    public static final long  CKF_EC_ECPARAMETERS   = 0x00400000L;
-    public static final long  CKF_EC_NAMEDCURVE     = 0x00800000L;
-    public static final long  CKF_EC_UNCOMPRESS     = 0x01000000L;
-    public static final long  CKF_EC_COMPRESS       = 0x02000000L;
+    /* Describe a token's EC capabilities not available in mechanism
+     * information.
+     */
+    public static final long  CKF_EC_F_P             = 0x00100000L;
+    public static final long  CKF_EC_F_2M            = 0x00200000L;
+    public static final long  CKF_EC_ECPARAMETERS    = 0x00400000L;
+    public static final long  CKF_EC_NAMEDCURVE      = 0x00800000L;
+    public static final long  CKF_EC_UNCOMPRESS      = 0x01000000L;
+    public static final long  CKF_EC_COMPRESS        = 0x02000000L;
 
-    /* FALSE for 2.01 */
     public static final long  CKF_EXTENSION          = 0x80000000L;
 
 
-    /* CK_RV is a value that identifies the return value of a
-     * Cryptoki function */
-    /* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-    public static final long  CKR_OK                                = 0x00000000L;
-    public static final long  CKR_CANCEL                            = 0x00000001L;
-    public static final long  CKR_HOST_MEMORY                       = 0x00000002L;
-    public static final long  CKR_SLOT_ID_INVALID                   = 0x00000003L;
+    /* Identifies the return value of a Cryptoki function */
+    public static final long  CKR_OK                 = 0x00000000L;
+    public static final long  CKR_CANCEL             = 0x00000001L;
+    public static final long  CKR_HOST_MEMORY        = 0x00000002L;
+    public static final long  CKR_SLOT_ID_INVALID    = 0x00000003L;
 
-    /* CKR_FLAGS_INVALID was removed for v2.0 */
+    public static final long  CKR_GENERAL_ERROR      = 0x00000005L;
+    public static final long  CKR_FUNCTION_FAILED    = 0x00000006L;
 
-    /* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-    public static final long  CKR_GENERAL_ERROR                     = 0x00000005L;
-    public static final long  CKR_FUNCTION_FAILED                   = 0x00000006L;
+    public static final long  CKR_ARGUMENTS_BAD      = 0x00000007L;
+    public static final long  CKR_NO_EVENT           = 0x00000008L;
+    public static final long  CKR_NEED_TO_CREATE_THREADS
+                                                     = 0x00000009L;
+    public static final long  CKR_CANT_LOCK          = 0x0000000AL;
 
-    /* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
-     * and CKR_CANT_LOCK are new for v2.01 */
-    public static final long  CKR_ARGUMENTS_BAD                     = 0x00000007L;
-    public static final long  CKR_NO_EVENT                          = 0x00000008L;
-    public static final long  CKR_NEED_TO_CREATE_THREADS            = 0x00000009L;
-    public static final long  CKR_CANT_LOCK                         = 0x0000000AL;
+    public static final long  CKR_ATTRIBUTE_READ_ONLY       = 0x00000010L;
+    public static final long  CKR_ATTRIBUTE_SENSITIVE       = 0x00000011L;
+    public static final long  CKR_ATTRIBUTE_TYPE_INVALID    = 0x00000012L;
+    public static final long  CKR_ATTRIBUTE_VALUE_INVALID   = 0x00000013L;
+    public static final long  CKR_ACTION_PROHIBITED         = 0x0000001BL;
 
-    public static final long  CKR_ATTRIBUTE_READ_ONLY               = 0x00000010L;
-    public static final long  CKR_ATTRIBUTE_SENSITIVE               = 0x00000011L;
-    public static final long  CKR_ATTRIBUTE_TYPE_INVALID            = 0x00000012L;
-    public static final long  CKR_ATTRIBUTE_VALUE_INVALID           = 0x00000013L;
-    public static final long  CKR_DATA_INVALID                      = 0x00000020L;
-    public static final long  CKR_DATA_LEN_RANGE                    = 0x00000021L;
-    public static final long  CKR_DEVICE_ERROR                      = 0x00000030L;
-    public static final long  CKR_DEVICE_MEMORY                     = 0x00000031L;
-    public static final long  CKR_DEVICE_REMOVED                    = 0x00000032L;
-    public static final long  CKR_ENCRYPTED_DATA_INVALID            = 0x00000040L;
-    public static final long  CKR_ENCRYPTED_DATA_LEN_RANGE          = 0x00000041L;
-    public static final long  CKR_FUNCTION_CANCELED                 = 0x00000050L;
-    public static final long  CKR_FUNCTION_NOT_PARALLEL             = 0x00000051L;
+    public static final long  CKR_DATA_INVALID              = 0x00000020L;
+    public static final long  CKR_DATA_LEN_RANGE            = 0x00000021L;
+    public static final long  CKR_DEVICE_ERROR              = 0x00000030L;
+    public static final long  CKR_DEVICE_MEMORY             = 0x00000031L;
+    public static final long  CKR_DEVICE_REMOVED            = 0x00000032L;
+    public static final long  CKR_ENCRYPTED_DATA_INVALID    = 0x00000040L;
+    public static final long  CKR_ENCRYPTED_DATA_LEN_RANGE  = 0x00000041L;
+    public static final long  CKR_FUNCTION_CANCELED         = 0x00000050L;
+    public static final long  CKR_FUNCTION_NOT_PARALLEL     = 0x00000051L;
 
-    /* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-    public static final long  CKR_FUNCTION_NOT_SUPPORTED            = 0x00000054L;
+    public static final long  CKR_FUNCTION_NOT_SUPPORTED    = 0x00000054L;
 
-    public static final long  CKR_KEY_HANDLE_INVALID                = 0x00000060L;
+    public static final long  CKR_KEY_HANDLE_INVALID        = 0x00000060L;
 
-    /* CKR_KEY_SENSITIVE was removed for v2.0 */
+    public static final long  CKR_KEY_SIZE_RANGE            = 0x00000062L;
+    public static final long  CKR_KEY_TYPE_INCONSISTENT     = 0x00000063L;
 
-    public static final long  CKR_KEY_SIZE_RANGE                    = 0x00000062L;
-    public static final long  CKR_KEY_TYPE_INCONSISTENT             = 0x00000063L;
+    public static final long  CKR_KEY_NOT_NEEDED                 = 0x00000064L;
+    public static final long  CKR_KEY_CHANGED                    = 0x00000065L;
+    public static final long  CKR_KEY_NEEDED                     = 0x00000066L;
+    public static final long  CKR_KEY_INDIGESTIBLE               = 0x00000067L;
+    public static final long  CKR_KEY_FUNCTION_NOT_PERMITTED     = 0x00000068L;
+    public static final long  CKR_KEY_NOT_WRAPPABLE              = 0x00000069L;
+    public static final long  CKR_KEY_UNEXTRACTABLE              = 0x0000006AL;
 
-    /* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
-     * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
-     * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
-     * v2.0 */
-    public static final long  CKR_KEY_NOT_NEEDED                    = 0x00000064L;
-    public static final long  CKR_KEY_CHANGED                       = 0x00000065L;
-    public static final long  CKR_KEY_NEEDED                        = 0x00000066L;
-    public static final long  CKR_KEY_INDIGESTIBLE                  = 0x00000067L;
-    public static final long  CKR_KEY_FUNCTION_NOT_PERMITTED        = 0x00000068L;
-    public static final long  CKR_KEY_NOT_WRAPPABLE                 = 0x00000069L;
-    public static final long  CKR_KEY_UNEXTRACTABLE                 = 0x0000006AL;
+    public static final long  CKR_MECHANISM_INVALID              = 0x00000070L;
+    public static final long  CKR_MECHANISM_PARAM_INVALID        = 0x00000071L;
 
-    public static final long  CKR_MECHANISM_INVALID                 = 0x00000070L;
-    public static final long  CKR_MECHANISM_PARAM_INVALID           = 0x00000071L;
+    public static final long  CKR_OBJECT_HANDLE_INVALID          = 0x00000082L;
+    public static final long  CKR_OPERATION_ACTIVE               = 0x00000090L;
+    public static final long  CKR_OPERATION_NOT_INITIALIZED      = 0x00000091L;
+    public static final long  CKR_PIN_INCORRECT                  = 0x000000A0L;
+    public static final long  CKR_PIN_INVALID                    = 0x000000A1L;
+    public static final long  CKR_PIN_LEN_RANGE                  = 0x000000A2L;
 
-    /* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
-     * were removed for v2.0 */
-    public static final long  CKR_OBJECT_HANDLE_INVALID             = 0x00000082L;
-    public static final long  CKR_OPERATION_ACTIVE                  = 0x00000090L;
-    public static final long  CKR_OPERATION_NOT_INITIALIZED         = 0x00000091L;
-    public static final long  CKR_PIN_INCORRECT                     = 0x000000A0L;
-    public static final long  CKR_PIN_INVALID                       = 0x000000A1L;
-    public static final long  CKR_PIN_LEN_RANGE                     = 0x000000A2L;
+    public static final long  CKR_PIN_EXPIRED                    = 0x000000A3L;
+    public static final long  CKR_PIN_LOCKED                     = 0x000000A4L;
 
-    /* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-    public static final long  CKR_PIN_EXPIRED                       = 0x000000A3L;
-    public static final long  CKR_PIN_LOCKED                        = 0x000000A4L;
+    public static final long  CKR_SESSION_CLOSED                 = 0x000000B0L;
+    public static final long  CKR_SESSION_COUNT                  = 0x000000B1L;
+    public static final long  CKR_SESSION_HANDLE_INVALID         = 0x000000B3L;
+    public static final long  CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000B4L;
+    public static final long  CKR_SESSION_READ_ONLY              = 0x000000B5L;
+    public static final long  CKR_SESSION_EXISTS                 = 0x000000B6L;
 
-    public static final long  CKR_SESSION_CLOSED                    = 0x000000B0L;
-    public static final long  CKR_SESSION_COUNT                     = 0x000000B1L;
-    public static final long  CKR_SESSION_HANDLE_INVALID            = 0x000000B3L;
-    public static final long  CKR_SESSION_PARALLEL_NOT_SUPPORTED    = 0x000000B4L;
-    public static final long  CKR_SESSION_READ_ONLY                 = 0x000000B5L;
-    public static final long  CKR_SESSION_EXISTS                    = 0x000000B6L;
+    public static final long  CKR_SESSION_READ_ONLY_EXISTS       = 0x000000B7L;
+    public static final long  CKR_SESSION_READ_WRITE_SO_EXISTS   = 0x000000B8L;
 
-    /* CKR_SESSION_READ_ONLY_EXISTS and
-     * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-    public static final long  CKR_SESSION_READ_ONLY_EXISTS          = 0x000000B7L;
-    public static final long  CKR_SESSION_READ_WRITE_SO_EXISTS      = 0x000000B8L;
+    public static final long  CKR_SIGNATURE_INVALID              = 0x000000C0L;
+    public static final long  CKR_SIGNATURE_LEN_RANGE            = 0x000000C1L;
+    public static final long  CKR_TEMPLATE_INCOMPLETE            = 0x000000D0L;
+    public static final long  CKR_TEMPLATE_INCONSISTENT          = 0x000000D1L;
+    public static final long  CKR_TOKEN_NOT_PRESENT              = 0x000000E0L;
+    public static final long  CKR_TOKEN_NOT_RECOGNIZED           = 0x000000E1L;
+    public static final long  CKR_TOKEN_WRITE_PROTECTED          = 0x000000E2L;
+    public static final long  CKR_UNWRAPPING_KEY_HANDLE_INVALID  = 0x000000F0L;
+    public static final long  CKR_UNWRAPPING_KEY_SIZE_RANGE      = 0x000000F1L;
+    public static final long  CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
+                                                                 = 0x000000F2L;
+    public static final long  CKR_USER_ALREADY_LOGGED_IN         = 0x00000100L;
+    public static final long  CKR_USER_NOT_LOGGED_IN             = 0x00000101L;
+    public static final long  CKR_USER_PIN_NOT_INITIALIZED       = 0x00000102L;
+    public static final long  CKR_USER_TYPE_INVALID              = 0x00000103L;
 
-    public static final long  CKR_SIGNATURE_INVALID                 = 0x000000C0L;
-    public static final long  CKR_SIGNATURE_LEN_RANGE               = 0x000000C1L;
-    public static final long  CKR_TEMPLATE_INCOMPLETE               = 0x000000D0L;
-    public static final long  CKR_TEMPLATE_INCONSISTENT             = 0x000000D1L;
-    public static final long  CKR_TOKEN_NOT_PRESENT                 = 0x000000E0L;
-    public static final long  CKR_TOKEN_NOT_RECOGNIZED              = 0x000000E1L;
-    public static final long  CKR_TOKEN_WRITE_PROTECTED             = 0x000000E2L;
-    public static final long  CKR_UNWRAPPING_KEY_HANDLE_INVALID     = 0x000000F0L;
-    public static final long  CKR_UNWRAPPING_KEY_SIZE_RANGE         = 0x000000F1L;
-    public static final long  CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  = 0x000000F2L;
-    public static final long  CKR_USER_ALREADY_LOGGED_IN            = 0x00000100L;
-    public static final long  CKR_USER_NOT_LOGGED_IN                = 0x00000101L;
-    public static final long  CKR_USER_PIN_NOT_INITIALIZED          = 0x00000102L;
-    public static final long  CKR_USER_TYPE_INVALID                 = 0x00000103L;
+    public static final long  CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104L;
+    public static final long  CKR_USER_TOO_MANY_TYPES            = 0x00000105L;
 
-    /* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
-     * are new to v2.01 */
-    public static final long  CKR_USER_ANOTHER_ALREADY_LOGGED_IN    = 0x00000104L;
-    public static final long  CKR_USER_TOO_MANY_TYPES               = 0x00000105L;
+    public static final long  CKR_WRAPPED_KEY_INVALID            = 0x00000110L;
+    public static final long  CKR_WRAPPED_KEY_LEN_RANGE          = 0x00000112L;
+    public static final long  CKR_WRAPPING_KEY_HANDLE_INVALID    = 0x00000113L;
+    public static final long  CKR_WRAPPING_KEY_SIZE_RANGE        = 0x00000114L;
+    public static final long  CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115L;
+    public static final long  CKR_RANDOM_SEED_NOT_SUPPORTED      = 0x00000120L;
 
-    public static final long  CKR_WRAPPED_KEY_INVALID               = 0x00000110L;
-    public static final long  CKR_WRAPPED_KEY_LEN_RANGE             = 0x00000112L;
-    public static final long  CKR_WRAPPING_KEY_HANDLE_INVALID       = 0x00000113L;
-    public static final long  CKR_WRAPPING_KEY_SIZE_RANGE           = 0x00000114L;
-    public static final long  CKR_WRAPPING_KEY_TYPE_INCONSISTENT    = 0x00000115L;
-    public static final long  CKR_RANDOM_SEED_NOT_SUPPORTED         = 0x00000120L;
+    public static final long  CKR_RANDOM_NO_RNG                  = 0x00000121L;
 
-    /* These are new to v2.0 */
-    public static final long  CKR_RANDOM_NO_RNG                     = 0x00000121L;
+    public static final long  CKR_DOMAIN_PARAMS_INVALID          = 0x00000130L;
 
-    /* These are new to v2.11 */
-    public static final long  CKR_DOMAIN_PARAMS_INVALID             = 0x00000130L;
+    public static final long  CKR_CURVE_NOT_SUPPORTED            = 0x00000140L;
 
-    /* These are new to v2.0 */
-    public static final long  CKR_BUFFER_TOO_SMALL                  = 0x00000150L;
-    public static final long  CKR_SAVED_STATE_INVALID               = 0x00000160L;
-    public static final long  CKR_INFORMATION_SENSITIVE             = 0x00000170L;
-    public static final long  CKR_STATE_UNSAVEABLE                  = 0x00000180L;
+    public static final long  CKR_BUFFER_TOO_SMALL               = 0x00000150L;
+    public static final long  CKR_SAVED_STATE_INVALID            = 0x00000160L;
+    public static final long  CKR_INFORMATION_SENSITIVE          = 0x00000170L;
+    public static final long  CKR_STATE_UNSAVEABLE               = 0x00000180L;
 
-    /* These are new to v2.01 */
-    public static final long  CKR_CRYPTOKI_NOT_INITIALIZED          = 0x00000190L;
-    public static final long  CKR_CRYPTOKI_ALREADY_INITIALIZED      = 0x00000191L;
-    public static final long  CKR_MUTEX_BAD                         = 0x000001A0L;
-    public static final long  CKR_MUTEX_NOT_LOCKED                  = 0x000001A1L;
+    public static final long  CKR_CRYPTOKI_NOT_INITIALIZED       = 0x00000190L;
+    public static final long  CKR_CRYPTOKI_ALREADY_INITIALIZED   = 0x00000191L;
+    public static final long  CKR_MUTEX_BAD                      = 0x000001A0L;
+    public static final long  CKR_MUTEX_NOT_LOCKED               = 0x000001A1L;
 
-    public static final long  CKR_VENDOR_DEFINED                    = 0x80000000L;
+    public static final long  CKR_NEW_PIN_MODE                   = 0x000001B0L;
+    public static final long  CKR_NEXT_OTP                       = 0x000001B1L;
+
+    public static final long  CKR_EXCEEDED_MAX_ITERATIONS        = 0x000001B5L;
+    public static final long  CKR_FIPS_SELF_TEST_FAILED          = 0x000001B6L;
+    public static final long  CKR_LIBRARY_LOAD_FAILED            = 0x000001B7L;
+    public static final long  CKR_PIN_TOO_WEAK                   = 0x000001B8L;
+    public static final long  CKR_PUBLIC_KEY_INVALID             = 0x000001B9L;
+    public static final long  CKR_FUNCTION_REJECTED              = 0x00000200L;
+
+    public static final long  CKR_VENDOR_DEFINED                 = 0x80000000L;
 
 
     /* flags: bit flags that provide capabilities of the slot
@@ -916,31 +973,56 @@
     /* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
     public static final long  CKF_DONT_BLOCK =    1L;
 
-
     /* The following MGFs are defined */
-    public static final long  CKG_MGF1_SHA1       =  0x00000001L;
-    // new for v2.20 amendment 3
+    public static final long  CKG_MGF1_SHA1       = 0x00000001L;
+    public static final long  CKG_MGF1_SHA256     = 0x00000002L;
+    public static final long  CKG_MGF1_SHA384     = 0x00000003L;
+    public static final long  CKG_MGF1_SHA512     = 0x00000004L;
     public static final long  CKG_MGF1_SHA224     = 0x00000005L;
 
     /* The following encoding parameter sources are defined */
     public static final long  CKZ_DATA_SPECIFIED   = 0x00000001L;
 
 
-    /* The following PRFs are defined in PKCS #5 v2.0. */
-    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1 = 0x00000001L;
-
-
-    /* The following salt value sources are defined in PKCS #5 v2.0. */
-    public static final long CKZ_SALT_SPECIFIED        = 0x00000001L;
-
     /* the following EC Key Derivation Functions are defined */
-    public static final long CKD_NULL                 = 0x00000001L;
-    public static final long CKD_SHA1_KDF             = 0x00000002L;
+    public static final long  CKD_NULL                 = 0x00000001L;
+    public static final long  CKD_SHA1_KDF             = 0x00000002L;
 
     /* the following X9.42 Diffie-Hellman Key Derivation Functions are defined */
-    public static final long CKD_SHA1_KDF_ASN1        = 0x00000003L;
-    public static final long CKD_SHA1_KDF_CONCATENATE = 0x00000004L;
+    public static final long  CKD_SHA1_KDF_ASN1        = 0x00000003L;
+    public static final long  CKD_SHA1_KDF_CONCATENATE = 0x00000004L;
+    public static final long  CKD_SHA224_KDF           = 0x00000005L;
+    public static final long  CKD_SHA256_KDF           = 0x00000006L;
+    public static final long  CKD_SHA384_KDF           = 0x00000007L;
+    public static final long  CKD_SHA512_KDF           = 0x00000008L;
+    public static final long  CKD_CPDIVERSIFY_KDF      = 0x00000009L;
 
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA1        = 0x00000001L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_GOSTR3411   = 0x00000002L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA224      = 0x00000003L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA256      = 0x00000004L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA384      = 0x00000005L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512      = 0x00000006L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_224  = 0x00000007L;
+    public static final long  CKP_PKCS5_PBKD2_HMAC_SHA512_256  = 0x00000008L;
+
+    public static final long  CKZ_SALT_SPECIFIED      = 0x00000001L;
+
+    public static final long  CK_OTP_VALUE            = 0x00000000L;
+    public static final long  CK_OTP_PIN              = 0x00000001L;
+    public static final long  CK_OTP_CHALLENGE        = 0x00000002L;
+    public static final long  CK_OTP_TIME             = 0x00000003L;
+    public static final long  CK_OTP_COUNTER          = 0x00000004L;
+    public static final long  CK_OTP_FLAGS            = 0x00000005L;
+    public static final long  CK_OTP_OUTPUT_LENGTH    = 0x00000006L;
+    public static final long  CK_OTP_OUTPUT_FORMAT    = 0x00000007L;
+
+    public static final long  CKF_NEXT_OTP            = 0x00000001L;
+    public static final long  CKF_EXCLUDE_TIME        = 0x00000002L;
+    public static final long  CKF_EXCLUDE_COUNTER     = 0x00000004L;
+    public static final long  CKF_EXCLUDE_CHALLENGE   = 0x00000008L;
+    public static final long  CKF_EXCLUDE_PIN         = 0x00000010L;
+    public static final long  CKF_USER_FRIENDLY_OTP   = 0x00000020L;
 
     // private NSS attribute (for DSA and DH private keys)
     public static final long  CKA_NETSCAPE_DB         = 0xD5A0DB00L;
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java	Tue Jun 11 21:30:28 2019 +0000
@@ -88,6 +88,7 @@
             0x00000011,
             0x00000012,
             0x00000013,
+            0x0000001B,
             0x00000020,
             0x00000021,
             0x00000030,
@@ -158,6 +159,13 @@
             0x00000191,
             0x000001A0,
             0x000001A1,
+            0x000001B0,
+            0x000001B1,
+            0x000001B5,
+            0x000001B6,
+            0x000001B7,
+            0x000001B8,
+            0x000001B9,
             0x00000200,
             0x80000000,
         };
@@ -176,6 +184,7 @@
             "CKR_ATTRIBUTE_SENSITIVE",
             "CKR_ATTRIBUTE_TYPE_INVALID",
             "CKR_ATTRIBUTE_VALUE_INVALID",
+            "CKR_ACTION_PROHIBITED",
             "CKR_DATA_INVALID",
             "CKR_DATA_LEN_RANGE",
             "CKR_DEVICE_ERROR",
@@ -246,6 +255,13 @@
             "CKR_CRYPTOKI_ALREADY_INITIALIZED",
             "CKR_MUTEX_BAD",
             "CKR_MUTEX_NOT_LOCKED",
+            "CKR_NEW_PIN_MODE",
+            "CKR_NEXT_OTP",
+            "CKR_EXCEEDED_MAX_ITERATIONS",
+            "CKR_FIPS_SELF_TEST_FAILED",
+            "CKR_LIBRARY_LOAD_FAILED",
+            "CKR_PIN_TOO_WEAK",
+            "CKR_PUBLIC_KEY_INVALID",
             "CKR_FUNCTION_REJECTED",
             "CKR_VENDOR_DEFINED",
         };
--- a/src/jdk.crypto.cryptoki/share/legal/pkcs11cryptotoken.md	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/legal/pkcs11cryptotoken.md	Tue Jun 11 21:30:28 2019 +0000
@@ -1,20 +1,32 @@
-## PKCS #11 Cryptographic Token Interface v2.20 Amendment 3 Header Files
+ASIS PKCS #11 Cryptographic Token Interface v2.40
 
-### PKCS #11 Cryptographic Token Interface License
-<pre>
+### OASIS PKCS #11 Cryptographic Token Interface License
+```
 
-License to copy and use this software is granted provided that it is
-identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-(Cryptoki)" in all material mentioning or referencing this software.
+Copyright (c) OASIS Open 2016. All Rights Reserved.
 
-License is also granted to make and use derivative works provided that
-such works are identified as "derived from the RSA Security Inc. PKCS #11
-Cryptographic Token Interface (Cryptoki)" in all material mentioning or
-referencing the derived work.
+All capitalized terms in the following text have the meanings assigned to them in the OASIS
+Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the
+OASIS website: [http://www.oasis-open.org/policies-guidelines/ipr]
 
-RSA Security Inc. makes no representations concerning either the
-merchantability of this software or the suitability of this software for
-any particular purpose. It is provided "as is" without express or implied
-warranty of any kind.
+This document and translations of it may be copied and furnished to others, and derivative works
+that comment on or otherwise explain it or assist in its implementation may be prepared, copied,
+published, and distributed, in whole or in part, without restriction of any kind, provided that
+the above copyright notice and this section are included on all such copies and derivative works.
+However, this document itself may not be modified in any way, including by removing the copyright
+notice or references to OASIS, except as needed for the purpose of developing any document or
+deliverable produced by an OASIS Technical Committee (in which case the rules applicable to
+copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it
+into languages other than English.
 
-</pre>
+The limited permissions granted above are perpetual and will not be revoked by OASIS or its
+successors or assigns.
+
+This document and the information contained herein is provided on an "AS IS" basis and OASIS
+DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE
+USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR
+ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THIS DOCUMENT OR
+ANY PART THEREOF.
+
+```
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -68,7 +68,8 @@
 
 /* declare file private functions */
 
-void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength);
+CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+        CK_MECHANISM_TYPE ckMech, CK_ULONG *ckpLength);
 
 
 /*
@@ -425,8 +426,8 @@
     memset(&ckAttribute, 0, sizeof(CK_ATTRIBUTE));
 
     // TBD: what if jAttribute == NULL?!
+    TRACE0("\nDEBUG: jAttributeToCKAttribute");
 
-    TRACE0("\nDEBUG: jAttributeToCKAttribute");
     /* get CK_ATTRIBUTE class */
     TRACE0(", getting attribute object class");
     jAttributeClass = (*env)->GetObjectClass(env, jAttribute);
@@ -437,7 +438,7 @@
     jFieldID = (*env)->GetFieldID(env, jAttributeClass, "type", "J");
     if (jFieldID == NULL) { return ckAttribute; }
     jType = (*env)->GetLongField(env, jAttribute, jFieldID);
-    TRACE1(", type=0x%X", jType);
+    TRACE1(", type=0x%lX", jType);
 
     /* get pValue */
     TRACE0(", getting pValue field");
@@ -450,9 +451,9 @@
     TRACE0(", converting pValue to primitive object");
 
     /* convert the Java pValue object to a CK-type pValue pointer */
-    jObjectToPrimitiveCKObjectPtrPtr(env, jPValue, &(ckAttribute.pValue), &(ckAttribute.ulValueLen));
+    ckAttribute.pValue = jObjectToPrimitiveCKObjectPtr(env, jPValue, &(ckAttribute.ulValueLen));
 
-    TRACE0("\nFINISHED\n");
+    TRACE0("\nDEBUG: jAttributeToCKAttribute FINISHED\n");
 
     return ckAttribute ;
 }
@@ -515,22 +516,19 @@
  *
  * @param env - used to call JNI functions to get the Java classes and objects
  * @param jParam - the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS object to convert
- * @return - the new CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_SSL3_MASTER_KEY_DERIVE_PARAMS structure
  */
-CK_SSL3_MASTER_KEY_DERIVE_PARAMS
-jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env,
-        jobject jParam)
+void jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(JNIEnv *env,
+        jobject jParam, CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckParamPtr)
 {
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS ckParam;
     jclass jSsl3MasterKeyDeriveParamsClass;
-    memset(&ckParam, 0, sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
     jSsl3MasterKeyDeriveParamsClass =
             (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-    if (jSsl3MasterKeyDeriveParamsClass == NULL) { return ckParam; }
+    if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; }
     masterKeyDeriveParamToCKMasterKeyDeriveParam(env, jParam,
             jSsl3MasterKeyDeriveParamsClass,
-            &ckParam.pVersion, &ckParam.RandomInfo);
-    return ckParam;
+            &(ckParamPtr->pVersion), &(ckParamPtr->RandomInfo));
 }
 
 /*
@@ -539,123 +537,116 @@
  *
  * @param env - used to call JNI functions to get the Java classes and objects
  * @param jParam - the Java CK_TLS12_MASTER_KEY_DERIVE_PARAMS object to convert
- * @return - the new CK_TLS12_MASTER_KEY_DERIVE_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_TLS12_MASTER_KEY_DERIVE_PARAMS structure
  */
-CK_TLS12_MASTER_KEY_DERIVE_PARAMS
-jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParam(JNIEnv *env,
-        jobject jParam)
+void jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParam(JNIEnv *env,
+        jobject jParam, CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR ckParamPtr)
 {
-    CK_TLS12_MASTER_KEY_DERIVE_PARAMS ckParam;
     jclass jTls12MasterKeyDeriveParamsClass;
     jfieldID fieldID;
-    memset(&ckParam, 0, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS));
     jTls12MasterKeyDeriveParamsClass =
             (*env)->FindClass(env, CLASS_TLS12_MASTER_KEY_DERIVE_PARAMS);
-    if (jTls12MasterKeyDeriveParamsClass == NULL) { return ckParam; }
+    if (jTls12MasterKeyDeriveParamsClass == NULL) { return; }
     masterKeyDeriveParamToCKMasterKeyDeriveParam(env, jParam,
-            jTls12MasterKeyDeriveParamsClass, &ckParam.pVersion,
-            &ckParam.RandomInfo);
+            jTls12MasterKeyDeriveParamsClass, &ckParamPtr->pVersion,
+            &ckParamPtr->RandomInfo);
     fieldID = (*env)->GetFieldID(env,
             jTls12MasterKeyDeriveParamsClass, "prfHashMechanism", "J");
     if (fieldID != NULL) {
         jlong prfHashMechanism =
                 (*env)->GetLongField(env, jParam, fieldID);
-        ckParam.prfHashMechanism = (CK_MECHANISM_TYPE)prfHashMechanism;
+        ckParamPtr->prfHashMechanism = (CK_MECHANISM_TYPE)prfHashMechanism;
     }
-    return ckParam;
 }
 
 /*
  * converts the Java CK_TLS_PRF_PARAMS object to a CK_TLS_PRF_PARAMS structure
  */
-CK_TLS_PRF_PARAMS jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam)
+void jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam,
+CK_TLS_PRF_PARAMS_PTR ckParamPtr)
 {
     jclass jTlsPrfParamsClass;
-    CK_TLS_PRF_PARAMS ckParam;
     jfieldID fieldID;
     jobject jSeed, jLabel, jOutput;
-    memset(&ckParam, 0, sizeof(CK_TLS_PRF_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_TLS_PRF_PARAMS));
 
     // TBD: what if jParam == NULL?!
 
     /* get pSeed */
     jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-    if (jTlsPrfParamsClass == NULL) { return ckParam; }
+    if (jTlsPrfParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pSeed", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSeed = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pLabel */
     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pLabel", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jLabel = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pOutput */
     fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pOutput", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jOutput = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    jByteArrayToCKByteArray(env, jSeed, &(ckParam.pSeed), &(ckParam.ulSeedLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jByteArrayToCKByteArray(env, jLabel, &(ckParam.pLabel), &(ckParam.ulLabelLen));
+    jByteArrayToCKByteArray(env, jSeed, &(ckParamPtr->pSeed), &(ckParamPtr->ulSeedLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jByteArrayToCKByteArray(env, jLabel, &(ckParamPtr->pLabel), &(ckParamPtr->ulLabelLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSeed);
-        return ckParam;
+        free(ckParamPtr->pSeed);
+        return;
     }
-    ckParam.pulOutputLen = malloc(sizeof(CK_ULONG));
-    if (ckParam.pulOutputLen == NULL) {
-        free(ckParam.pSeed);
-        free(ckParam.pLabel);
+    ckParamPtr->pulOutputLen = malloc(sizeof(CK_ULONG));
+    if (ckParamPtr->pulOutputLen == NULL) {
+        free(ckParamPtr->pSeed);
+        free(ckParamPtr->pLabel);
         throwOutOfMemoryError(env, 0);
-        return ckParam;
+        return;
     }
-    jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen);
+    jByteArrayToCKByteArray(env, jOutput, &(ckParamPtr->pOutput), ckParamPtr->pulOutputLen);
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSeed);
-        free(ckParam.pLabel);
-        free(ckParam.pulOutputLen);
-        return ckParam;
+        free(ckParamPtr->pSeed);
+        free(ckParamPtr->pLabel);
+        free(ckParamPtr->pOutput);
+        return;
     }
-
-    return ckParam ;
 }
 
 /*
  * converts the Java CK_TLS_MAC_PARAMS object to a CK_TLS_MAC_PARAMS structure
  */
-CK_TLS_MAC_PARAMS jTlsMacParamsToCKTlsMacParam(JNIEnv *env, jobject jParam)
+void jTlsMacParamsToCKTlsMacParam(JNIEnv *env, jobject jParam,
+        CK_TLS_MAC_PARAMS_PTR ckParamPtr)
 {
     jclass jTlsMacParamsClass;
-    CK_TLS_MAC_PARAMS ckParam;
     jfieldID fieldID;
     jlong jPrfMechanism, jUlMacLength, jUlServerOrClient;
-    memset(&ckParam, 0, sizeof(CK_TLS_MAC_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_TLS_MAC_PARAMS));
 
     jTlsMacParamsClass = (*env)->FindClass(env, CLASS_TLS_MAC_PARAMS);
-    if (jTlsMacParamsClass == NULL) { return ckParam; }
+    if (jTlsMacParamsClass == NULL) { return; }
 
     /* get prfMechanism */
     fieldID = (*env)->GetFieldID(env, jTlsMacParamsClass, "prfMechanism", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrfMechanism = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get ulMacLength */
     fieldID = (*env)->GetFieldID(env, jTlsMacParamsClass, "ulMacLength", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jUlMacLength = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get ulServerOrClient */
     fieldID = (*env)->GetFieldID(env, jTlsMacParamsClass, "ulServerOrClient", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jUlServerOrClient = (*env)->GetLongField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.prfMechanism = jLongToCKULong(jPrfMechanism);
-    ckParam.ulMacLength = jLongToCKULong(jUlMacLength);
-    ckParam.ulServerOrClient = jLongToCKULong(jUlServerOrClient);
-
-    return ckParam;
+    ckParamPtr->prfMechanism = jLongToCKULong(jPrfMechanism);
+    ckParamPtr->ulMacLength = jLongToCKULong(jUlMacLength);
+    ckParamPtr->ulServerOrClient = jLongToCKULong(jUlServerOrClient);
 }
 
 void keyMatParamToCKKeyMatParam(JNIEnv *env, jobject jParam,
@@ -747,7 +738,7 @@
         free(cKKeyMatParamRandomInfo->pClientRandom);
         return;
     }
-    /* allocate memory for pRetrunedKeyMaterial */
+    /* allocate memory for pReturnedKeyMaterial */
     *cKKeyMatParamPReturnedKeyMaterial =
             (CK_SSL3_KEY_MAT_OUT_PTR)malloc(sizeof(CK_SSL3_KEY_MAT_OUT));
     if (*cKKeyMatParamPReturnedKeyMaterial == NULL) {
@@ -789,22 +780,20 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_SSL3_KEY_MAT_PARAMS object to convert
- * @return - the new CK_SSL3_KEY_MAT_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_SSL3_KEY_MAT_PARAMS structure
  */
-CK_SSL3_KEY_MAT_PARAMS
-jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam)
+void jSsl3KeyMatParamToCKSsl3KeyMatParam(JNIEnv *env, jobject jParam,
+        CK_SSL3_KEY_MAT_PARAMS_PTR ckParamPtr)
 {
-    CK_SSL3_KEY_MAT_PARAMS ckParam;
     jclass jSsl3KeyMatParamsClass;
-    memset(&ckParam, 0, sizeof(CK_SSL3_KEY_MAT_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_SSL3_KEY_MAT_PARAMS));
     jSsl3KeyMatParamsClass = (*env)->FindClass(env,
             CLASS_SSL3_KEY_MAT_PARAMS);
-    if (jSsl3KeyMatParamsClass == NULL) { return ckParam; }
+    if (jSsl3KeyMatParamsClass == NULL) { return; }
     keyMatParamToCKKeyMatParam(env, jParam, jSsl3KeyMatParamsClass,
-            &ckParam.ulMacSizeInBits, &ckParam.ulKeySizeInBits,
-            &ckParam.ulIVSizeInBits, &ckParam.bIsExport,
-            &ckParam.RandomInfo, &ckParam.pReturnedKeyMaterial);
-    return ckParam;
+            &(ckParamPtr->ulMacSizeInBits), &(ckParamPtr->ulKeySizeInBits),
+            &(ckParamPtr->ulIVSizeInBits), &(ckParamPtr->bIsExport),
+            &(ckParamPtr->RandomInfo), &(ckParamPtr->pReturnedKeyMaterial));
 }
 
 /*
@@ -813,29 +802,27 @@
  *
  * @param env - used to call JNI functions to get the Java classes and objects
  * @param jParam - the Java CK_TLS12_KEY_MAT_PARAMS object to convert
- * @return - the new CK_TLS12_KEY_MAT_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_TLS12_KEY_MAT_PARAMS structure
  */
-CK_TLS12_KEY_MAT_PARAMS jTls12KeyMatParamToCKTls12KeyMatParam(JNIEnv *env,
-        jobject jParam)
+void jTls12KeyMatParamToCKTls12KeyMatParam(JNIEnv *env,
+        jobject jParam, CK_TLS12_KEY_MAT_PARAMS_PTR ckParamPtr)
 {
-    CK_TLS12_KEY_MAT_PARAMS ckParam;
     jclass jTls12KeyMatParamsClass;
     jfieldID fieldID;
-    memset(&ckParam, 0, sizeof(CK_TLS12_KEY_MAT_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_TLS12_KEY_MAT_PARAMS));
     jTls12KeyMatParamsClass = (*env)->FindClass(env,
             CLASS_TLS12_KEY_MAT_PARAMS);
-    if (jTls12KeyMatParamsClass == NULL) { return ckParam; }
+    if (jTls12KeyMatParamsClass == NULL) { return; }
     keyMatParamToCKKeyMatParam(env, jParam, jTls12KeyMatParamsClass,
-            &ckParam.ulMacSizeInBits, &ckParam.ulKeySizeInBits,
-            &ckParam.ulIVSizeInBits, &ckParam.bIsExport,
-            &ckParam.RandomInfo, &ckParam.pReturnedKeyMaterial);
+            &(ckParamPtr->ulMacSizeInBits), &(ckParamPtr->ulKeySizeInBits),
+            &(ckParamPtr->ulIVSizeInBits), &(ckParamPtr->bIsExport),
+            &(ckParamPtr->RandomInfo), &(ckParamPtr->pReturnedKeyMaterial));
     fieldID = (*env)->GetFieldID(env, jTls12KeyMatParamsClass,
             "prfHashMechanism", "J");
     if (fieldID != NULL) {
         jlong prfHashMechanism = (*env)->GetLongField(env, jParam, fieldID);
-        ckParam.prfHashMechanism = (CK_MECHANISM_TYPE)prfHashMechanism;
+        ckParamPtr->prfHashMechanism = (CK_MECHANISM_TYPE)prfHashMechanism;
     }
-    return ckParam;
 }
 
 /*
@@ -843,10 +830,10 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_AES_CTR_PARAMS object to convert
- * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_AES_CTR_PARAMS structure
  */
 void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam,
-                                  CK_AES_CTR_PARAMS_PTR ckpParam) {
+                                  CK_AES_CTR_PARAMS_PTR ckParamPtr) {
     jclass jAesCtrParamsClass;
     jfieldID fieldID;
     jlong jCounterBits;
@@ -857,6 +844,9 @@
     /* get ulCounterBits */
     jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
     if (jAesCtrParamsClass == NULL) { return; }
+    if (!(*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) {
+        return;
+    }
     fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J");
     if (fieldID == NULL) { return; }
     jCounterBits = (*env)->GetLongField(env, jParam, fieldID);
@@ -867,40 +857,147 @@
     jCb = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckpParam->ulCounterBits = jLongToCKULong(jCounterBits);
+    ckParamPtr->ulCounterBits = jLongToCKULong(jCounterBits);
     jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp);
     if ((*env)->ExceptionCheck(env)) { return; }
     if (ckTemp != 16) {
-        TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp);
+        TRACE1("\nERROR: WRONG CTR IV LENGTH %lu", ckTemp);
     } else {
-        memcpy(ckpParam->cb, ckBytes, ckTemp);
+        memcpy(ckParamPtr->cb, ckBytes, ckTemp);
         free(ckBytes);
     }
 }
 
 /*
- * converts a Java CK_MECHANISM object into a CK_MECHANISM structure
+ * converts the Java CK_GCM_PARAMS object to a CK_GCM_PARAMS structure
+ *
+ * @param env - used to call JNI funktions to get the Java classes and objects
+ * @param jParam - the Java CK_GCM_PARAMS object to convert
+ * @param ckpParam - pointer to the new CK_GCM_PARAMS structure
+ */
+void jGCMParamsToCKGCMParam(JNIEnv *env, jobject jParam,
+                            CK_GCM_PARAMS_PTR ckpParam) {
+    jclass jGcmParamsClass;
+    jfieldID fieldID;
+    jobject jIv, jAad;
+    jlong jTagLen;
+
+    /* get iv */
+    jGcmParamsClass = (*env)->FindClass(env, CLASS_GCM_PARAMS);
+    if (jGcmParamsClass == NULL) { return; }
+    if (!(*env)->IsInstanceOf(env, jParam, jGcmParamsClass)) {
+        return;
+    }
+
+    fieldID = (*env)->GetFieldID(env, jGcmParamsClass, "iv", "[B");
+    if (fieldID == NULL) { return; }
+    jIv = (*env)->GetObjectField(env, jParam, fieldID);
+
+    /* get aad */
+    fieldID = (*env)->GetFieldID(env, jGcmParamsClass, "aad", "[B");
+    if (fieldID == NULL) { return; }
+    jAad = (*env)->GetObjectField(env, jParam, fieldID);
+
+    /* get tagLength */
+    fieldID = (*env)->GetFieldID(env, jGcmParamsClass, "tagBits", "J");
+    if (fieldID == NULL) { return; }
+    jTagLen = (*env)->GetLongField(env, jParam, fieldID);
+
+
+    /* populate java values */
+    jByteArrayToCKByteArray(env, jIv, &(ckpParam->pIv), &(ckpParam->ulIvLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+
+    jByteArrayToCKByteArray(env, jAad, &(ckpParam->pAAD), &(ckpParam->ulAADLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+
+    ckpParam->ulTagBits = jLongToCKULong(jTagLen);
+}
+
+/*
+ * converts the Java CK_CCM_PARAMS object to a CK_CCM_PARAMS structure
+ *
+ * @param env - used to call JNI functions to get the Java classes and objects
+ * @param jParam - the Java CK_CCM_PARAMS object to convert
+ * @param ckpParam - pointer to the new CK_CCM_PARAMS structure
+ */
+void jCCMParamsToCKCCMParam(JNIEnv *env, jobject jParam,
+                            CK_CCM_PARAMS_PTR ckpParam) {
+    jclass jCcmParamsClass;
+    jfieldID fieldID;
+    jobject jNonce, jAad;
+    jlong jDataLen, jMacLen;
+
+    /* get iv */
+    jCcmParamsClass = (*env)->FindClass(env, CLASS_CCM_PARAMS);
+    if (jCcmParamsClass == NULL) { return; }
+
+    if (!(*env)->IsInstanceOf(env, jParam, jCcmParamsClass)) {
+        return;
+    }
+    fieldID = (*env)->GetFieldID(env, jCcmParamsClass, "dataLen", "J");
+    if (fieldID == NULL) { return; }
+    jDataLen = (*env)->GetLongField(env, jParam, fieldID);
+
+    fieldID = (*env)->GetFieldID(env, jCcmParamsClass, "nonce", "[B");
+    if (fieldID == NULL) { return; }
+    jNonce = (*env)->GetObjectField(env, jParam, fieldID);
+
+    /* get aad */
+    fieldID = (*env)->GetFieldID(env, jCcmParamsClass, "aad", "[B");
+    if (fieldID == NULL) { return; }
+    jAad = (*env)->GetObjectField(env, jParam, fieldID);
+
+    /* get macLen */
+    fieldID = (*env)->GetFieldID(env, jCcmParamsClass, "macLen", "J");
+    if (fieldID == NULL) { return; }
+    jMacLen = (*env)->GetLongField(env, jParam, fieldID);
+
+    /* populate java values */
+    ckpParam->ulDataLen = jLongToCKULong(jDataLen);
+    jByteArrayToCKByteArray(env, jNonce, &(ckpParam->pNonce),
+            &(ckpParam->ulNonceLen));
+    jByteArrayToCKByteArray(env, jAad, &(ckpParam->pAAD),
+            &(ckpParam->ulAADLen));
+    ckpParam->ulMACLen = jLongToCKULong(jMacLen);
+    if ((*env)->ExceptionCheck(env)) { return; }
+}
+
+/*
+ * converts a Java CK_MECHANISM object into a pointer to a CK_MECHANISM
+ * structure. NOTE: CALLER IS RESPONSIBLE FOR FREEING THE RETURNED POINTER
  *
  * @param env - used to call JNI funktions to get the values out of the Java object
  * @param jMechanism - the Java CK_MECHANISM object to convert
- * @return - the new CK_MECHANISM structure
+ * @return - pointer to the new CK_MECHANISM structure
  */
-void jMechanismToCKMechanism(JNIEnv *env, jobject jMechanism, CK_MECHANISM_PTR ckMechanismPtr)
+CK_MECHANISM_PTR jMechanismToCKMechanismPtr(JNIEnv *env, jobject jMech)
 {
-    jlong jMechanismType = (*env)->GetLongField(env, jMechanism, mech_mechanismID);
-    jobject jParameter = (*env)->GetObjectField(env, jMechanism, mech_pParameterID);
+    CK_MECHANISM_PTR ckpMech;
+    jlong jMechType = (*env)->GetLongField(env, jMech, mech_mechanismID);
+    jobject jParam = (*env)->GetObjectField(env, jMech, mech_pParameterID);
 
-    (*ckMechanismPtr).mechanism = jLongToCKULong(jMechanismType);
+    /* allocate memory for CK_MECHANISM_PTR */
+    ckpMech =  (CK_MECHANISM_PTR) malloc(sizeof(CK_MECHANISM));
+    if (ckpMech == NULL) {
+        throwOutOfMemoryError(env, 0);
+        return NULL;
+    }
+    TRACE1("DEBUG jMechanismToCKMechanismPtr: allocated mech 0x%lX\n", ckpMech);
 
-    /* convert the specific Java mechanism parameter object to a pointer to a CK-type mechanism
-     * structure
+    ckpMech->mechanism = jLongToCKULong(jMechType);
+
+    /* convert the specific Java mechanism parameter object to a pointer to a
+     *  CK-type mechanism structure
      */
-    if (jParameter == NULL) {
-        (*ckMechanismPtr).pParameter = NULL;
-        (*ckMechanismPtr).ulParameterLen = 0;
+    if (jParam == NULL) {
+        ckpMech->pParameter = NULL;
+        ckpMech->ulParameterLen = 0;
     } else {
-        jMechanismParameterToCKMechanismParameter(env, jParameter, &(*ckMechanismPtr).pParameter, &(*ckMechanismPtr).ulParameterLen);
+        ckpMech->pParameter = jMechParamToCKMechParamPtr(env, jParam,
+            ckpMech->mechanism, &(ckpMech->ulParameterLen));
     }
+    return ckpMech;
 }
 
 /*
@@ -909,15 +1006,14 @@
  * jobject ckAttributeValueToJObject(JNIEnv *env,
  *                                   const CK_ATTRIBUTE_PTR ckpAttribute);
  *
- * void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env,
+ * CK_VOID_PTR jObjectToPrimitiveCKObjectPtr(JNIEnv *env,
  *                                       jobject jObject,
- *                                       CK_VOID_PTR *ckpObjectPtr,
  *                                       CK_ULONG *pLength);
  *
- * void jMechanismParameterToCKMechanismParameter(JNIEnv *env,
- *                                                jobject jParam,
- *                                                CK_VOID_PTR *ckpParamPtr,
- *                                                CK_ULONG *ckpLength);
+ * CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env,
+ *                              jobject jParam,
+ *                              CK_MECHANISM_TYPE ckMech,
+ *                              CK_ULONG *ckpLength);
  *
  * These functions are used if a PKCS#11 mechanism or attribute structure gets
  * convertet to a Java attribute or mechanism object or vice versa.
@@ -927,22 +1023,21 @@
  * be a CK_ULONG, CK_BYTE[], CK_CHAR[], big integer, CK_BBOOL, CK_UTF8CHAR[],
  * CK_DATE or CK_FLAGS that gets converted to a corresponding Java object.
  *
- * jObjectToPrimitiveCKObjectPtrPtr is used by jAttributeToCKAttributePtr for
+ * jObjectToPrimitiveCKObjectPtr is used by jAttributeToCKAttributePtr for
  * converting the Java attribute value to a PKCS#11 attribute value pointer.
  * For now only primitive datatypes and arrays of primitive datatypes can get
  * converted. Otherwise this function throws a PKCS#11Exception with the
  * errorcode CKR_VENDOR_DEFINED.
  *
- * jMechanismParameterToCKMechanismParameter converts a Java mechanism parameter
- * to a PKCS#11 mechanism parameter. First this function determines what mechanism
- * parameter the Java object is, then it allocates the memory for the new PKCS#11
- * structure and calls the corresponding function to convert the Java object to
- * a PKCS#11 mechanism parameter structure.
+ * jMechParamToCKMechParamPtr converts a Java mechanism parameter to a PKCS#11
+ * mechanism parameter. Based on the specified PKCS#11 mechanism type, this
+ * function will allocate memory for a PKCS#11 parameter structure and
+ * populate its field using the Java object.
  */
 
 /*
- * converts the pValue of a CK_ATTRIBUTE structure into a Java Object by checking the type
- * of the attribute.
+ * converts the pValue of a CK_ATTRIBUTE structure into a Java Object by
+ * checking the type of the attribute.
  *
  * @param env - used to call JNI funktions to create the new Java object
  * @param ckpAttribute - the pointer to the CK_ATTRIBUTE structure that contains the type
@@ -1096,474 +1191,283 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java mechanism parameter object to convert
- * @param ckpParamPtr - the reference of the new pointer to the new CK mechanism parameter
- *                      structure
+ * @param ckMech - the PKCS#11 mechanism type
  * @param ckpLength - the reference of the length in bytes of the new CK mechanism parameter
  *                    structure
+ * @return pointer to the new CK mechanism parameter structure
  */
-void jMechanismParameterToCKMechanismParameter(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength)
+CK_VOID_PTR jMechParamToCKMechParamPtr(JNIEnv *env, jobject jParam,
+        CK_MECHANISM_TYPE ckMech, CK_ULONG *ckpLength)
 {
+    CK_VOID_PTR ckpParamPtr;
     if (jParam == NULL) {
-        *ckpParamPtr = NULL;
+        ckpParamPtr = NULL;
         *ckpLength = 0;
     } else if ((*env)->IsInstanceOf(env, jParam, jByteArrayClass)) {
-        jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *)ckpParamPtr, ckpLength);
+        jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *) &ckpParamPtr, ckpLength);
     } else if ((*env)->IsInstanceOf(env, jParam, jLongClass)) {
-        *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam);
+        ckpParamPtr = jLongObjectToCKULongPtr(env, jParam);
         *ckpLength = sizeof(CK_ULONG);
     } else {
-        TRACE0("\nSLOW PATH jMechanismParameterToCKMechanismParameter\n");
-        jMechanismParameterToCKMechanismParameterSlow(env, jParam, ckpParamPtr, ckpLength);
+        ckpParamPtr = jMechParamToCKMechParamPtrSlow(env, jParam, ckMech, ckpLength);
     }
+    return ckpParamPtr;
 }
 
-void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength)
+CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
+        CK_MECHANISM_TYPE ckMech, CK_ULONG *ckpLength)
 {
-    /* get all Java mechanism parameter classes */
-    jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass;
-    jclass jTls12MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass;
-    jclass jTls12KeyMatParamsClass;
-    jclass jTlsPrfParamsClass, jTlsMacParamsClass, jAesCtrParamsClass;
-    jclass jRsaPkcsOaepParamsClass;
-    jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass;
-    jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass;
-    jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass;
-    TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter");
+    CK_VOID_PTR ckpParamPtr = NULL;
 
-    /* most common cases, i.e. NULL/byte[]/long, are already handled by
-     * jMechanismParameterToCKMechanismParameter before calling this method.
+    /*
+     * Most common cases, i.e. NULL/byte[]/long, are already handled by
+     * jMechParamToCKMechParam before calling this method.
      */
-    jVersionClass = (*env)->FindClass(env, CLASS_VERSION);
-    if (jVersionClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) {
-        /*
-         * CK_VERSION used by CKM_SSL3_PRE_MASTER_KEY_GEN
-         */
-        CK_VERSION_PTR ckpParam;
+    TRACE1("\nDEBUG: jMechParamToCKMechParamPtrSlow, mech=0x%lX", ckMech);
 
-        /* convert jParameter to CKParameter */
-        ckpParam = jVersionToCKVersionPtr(env, jParam);
+    switch (ckMech) {
+        case CKM_SSL3_PRE_MASTER_KEY_GEN:
+        case CKM_TLS_PRE_MASTER_KEY_GEN:
+            *ckpLength = sizeof(CK_VERSION);
+            ckpParamPtr = jVersionToCKVersionPtr(env, jParam);
+            break;
+        case CKM_SSL3_MASTER_KEY_DERIVE:
+        case CKM_TLS_MASTER_KEY_DERIVE:
+        case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+        case CKM_TLS_MASTER_KEY_DERIVE_DH:
+            ckpParamPtr =
+                    malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
 
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_VERSION);
-        *ckpParamPtr = ckpParam;
-        return;
+            jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam,
+                    (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_SSL3_KEY_AND_MAC_DERIVE:
+        case CKM_TLS_KEY_AND_MAC_DERIVE:
+            ckpParamPtr =
+                    malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS));
+            if (ckpParamPtr == NULL) {
+                 throwOutOfMemoryError(env, 0);
+                 return NULL;
+            }
+            *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS);
+
+            jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam,
+                    (CK_SSL3_KEY_MAT_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_TLS12_KEY_AND_MAC_DERIVE:
+            ckpParamPtr =
+                    malloc(sizeof(CK_TLS12_KEY_MAT_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_TLS12_KEY_MAT_PARAMS);
+
+            jTls12KeyMatParamToCKTls12KeyMatParam(env, jParam,
+                    (CK_TLS12_KEY_MAT_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_TLS12_MASTER_KEY_DERIVE:
+        case CKM_TLS12_MASTER_KEY_DERIVE_DH:
+            ckpParamPtr =
+                    malloc(sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
+
+            jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParam(env, jParam,
+                    (CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_TLS_PRF:
+        case CKM_NSS_TLS_PRF_GENERAL:
+            ckpParamPtr = malloc(sizeof(CK_TLS_PRF_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_TLS_PRF_PARAMS);
+
+            jTlsPrfParamsToCKTlsPrfParam(env, jParam,
+                    (CK_TLS_PRF_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_TLS_MAC:
+            ckpParamPtr = malloc(sizeof(CK_TLS_MAC_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_TLS_MAC_PARAMS);
+
+            jTlsMacParamsToCKTlsMacParam(env, jParam,
+                    (CK_TLS_MAC_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_AES_CTR:
+            ckpParamPtr = malloc(sizeof(CK_AES_CTR_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_AES_CTR_PARAMS);
+
+            jAesCtrParamsToCKAesCtrParam(env, jParam,
+                    (CK_AES_CTR_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_AES_GCM:
+            ckpParamPtr = malloc(sizeof(CK_GCM_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_GCM_PARAMS);
+
+            jGCMParamsToCKGCMParam(env, jParam, (CK_GCM_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_AES_CCM:
+            ckpParamPtr = malloc(sizeof(CK_CCM_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_CCM_PARAMS);
+
+            jCCMParamsToCKCCMParam(env, jParam,
+                    (CK_CCM_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_RSA_PKCS_OAEP:
+            ckpParamPtr = malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
+
+            jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam,
+                    (CK_RSA_PKCS_OAEP_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_PBE_SHA1_DES3_EDE_CBC:
+        case CKM_PBE_SHA1_DES2_EDE_CBC:
+        case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+            ckpParamPtr = malloc(sizeof(CK_PBE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+
+            *ckpLength = sizeof(CK_PBE_PARAMS);
+
+            jPbeParamToCKPbeParam(env, jParam, (CK_PBE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_PKCS5_PBKD2:
+            ckpParamPtr = malloc(sizeof(CK_PKCS5_PBKD2_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
+
+            jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam,
+                     (CK_PKCS5_PBKD2_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_RSA_PKCS_PSS:
+        case CKM_SHA1_RSA_PKCS_PSS:
+        case CKM_SHA256_RSA_PKCS_PSS:
+        case CKM_SHA384_RSA_PKCS_PSS:
+        case CKM_SHA512_RSA_PKCS_PSS:
+        case CKM_SHA224_RSA_PKCS_PSS:
+            ckpParamPtr = malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS);
+
+            jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam,
+                    (CK_RSA_PKCS_PSS_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_ECDH1_DERIVE:
+        case CKM_ECDH1_COFACTOR_DERIVE:
+            ckpParamPtr = malloc(sizeof(CK_ECDH1_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS);
+
+            jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam,
+                    (CK_ECDH1_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_ECMQV_DERIVE:
+            ckpParamPtr = malloc(sizeof(CK_ECDH2_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS);
+
+            jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam,
+                    (CK_ECDH2_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_X9_42_DH_DERIVE:
+            ckpParamPtr = malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS);
+
+            /* convert jParameter to CKParameter */
+            jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam,
+                (CK_X9_42_DH1_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        case CKM_X9_42_DH_HYBRID_DERIVE:
+        case CKM_X9_42_MQV_DERIVE:
+            ckpParamPtr = malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
+            if (ckpParamPtr == NULL) {
+                throwOutOfMemoryError(env, 0);
+                return NULL;
+            }
+            *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS);
+
+            jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam,
+                    (CK_X9_42_DH2_DERIVE_PARAMS_PTR) ckpParamPtr);
+            break;
+        // defined by pkcs11.h but we don't support
+        case CKM_KEA_DERIVE: // CK_KEA_DERIVE_PARAMS
+        case CKM_RC2_CBC: // CK_RC2_CBC_PARAMS
+        case CKM_RC2_MAC_GENERAL: // CK_RC2_MAC_GENERAL_PARAMS
+        case CKM_RC5_ECB: // CK_RC5_PARAMS
+        case CKM_RC5_MAC: // CK_RC5_PARAMS
+        case CKM_RC5_CBC: // CK_RC5_CBC_PARAMS
+        case CKM_RC5_MAC_GENERAL: // CK_RC5_MAC_GENERAL_PARAMS
+        case CKM_SKIPJACK_PRIVATE_WRAP: // CK_SKIPJACK_PRIVATE_WRAP_PARAMS
+        case CKM_SKIPJACK_RELAYX: // CK_SKIPJACK_RELAYX_PARAMS
+        case CKM_KEY_WRAP_SET_OAEP: // CK_KEY_WRAP_SET_OAEP_PARAMS
+            throwPKCS11RuntimeException(env, "No parameter support for this mchanism");
+            break;
+        default:
+            /* if everything faild up to here */
+            /* try if the parameter is a primitive Java type */
+            ckpParamPtr = jObjectToPrimitiveCKObjectPtr(env, jParam, ckpLength);
+            /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */
+            /* *ckpLength = 1; */
+    }
+    TRACE0("\nDEBUG: jMechParamToCKMechParamPtrSlow FINISHED\n");
+
+    if ((*env)->ExceptionCheck(env)) {
+        free(ckpParamPtr);
+        *ckpLength = 0;
+        return NULL;
     }
 
-    jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
-    if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) {
-        /*
-         * CK_SSL3_MASTER_KEY_DERIVE_PARAMS
-         */
-        CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS);
-    if (jSsl3KeyMatParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) {
-        /*
-         * CK_SSL3_KEY_MAT_PARAMS
-         */
-        CK_SSL3_KEY_MAT_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jTls12KeyMatParamsClass = (*env)->FindClass(env, CLASS_TLS12_KEY_MAT_PARAMS);
-    if (jTls12KeyMatParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jTls12KeyMatParamsClass)) {
-        /*
-         * CK_TLS12_KEY_MAT_PARAMS
-         */
-        CK_TLS12_KEY_MAT_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_TLS12_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_TLS12_KEY_MAT_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jTls12KeyMatParamToCKTls12KeyMatParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_TLS12_KEY_MAT_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jTls12MasterKeyDeriveParamsClass =
-            (*env)->FindClass(env, CLASS_TLS12_MASTER_KEY_DERIVE_PARAMS);
-    if (jTls12MasterKeyDeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jTls12MasterKeyDeriveParamsClass)) {
-        /*
-         * CK_TLS12_MASTER_KEY_DERIVE_PARAMS
-         */
-        CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR)malloc(
-                sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS);
-    if (jTlsPrfParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) {
-        /*
-         * CK_TLS_PRF_PARAMS
-         */
-        CK_TLS_PRF_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jTlsPrfParamsToCKTlsPrfParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_TLS_PRF_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jTlsMacParamsClass = (*env)->FindClass(env, CLASS_TLS_MAC_PARAMS);
-    if (jTlsMacParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jTlsMacParamsClass)) {
-        CK_TLS_MAC_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_TLS_MAC_PARAMS_PTR) malloc(sizeof(CK_TLS_MAC_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jTlsMacParamsToCKTlsMacParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_TLS_MAC_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS);
-    if (jAesCtrParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) {
-        /*
-         * CK_AES_CTR_PARAMS
-         */
-        CK_AES_CTR_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_AES_CTR_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-    if (jRsaPkcsOaepParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) {
-        /*
-         * CK_RSA_PKCS_OAEP_PARAMS
-         */
-        CK_RSA_PKCS_OAEP_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-    if (jPbeParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) {
-        /*
-         * CK_PBE_PARAMS
-         */
-        CK_PBE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jPbeParamToCKPbeParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_PBE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
-    if (jPkcs5Pbkd2ParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) {
-        /*
-         * CK_PKCS5_PBKD2_PARAMS
-         */
-        CK_PKCS5_PBKD2_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
-    if (jRsaPkcsPssParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) {
-        /*
-         * CK_RSA_PKCS_PSS_PARAMS
-         */
-        CK_RSA_PKCS_PSS_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
-    if (jEcdh1DeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) {
-        /*
-         * CK_ECDH1_DERIVE_PARAMS
-         */
-        CK_ECDH1_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
-    if (jEcdh2DeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) {
-        /*
-         * CK_ECDH2_DERIVE_PARAMS
-         */
-        CK_ECDH2_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
-    if (jX942Dh1DeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) {
-        /*
-         * CK_X9_42_DH1_DERIVE_PARAMS
-         */
-        CK_X9_42_DH1_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
-    if (jX942Dh2DeriveParamsClass == NULL) { return; }
-    if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) {
-        /*
-         * CK_X9_42_DH2_DERIVE_PARAMS
-         */
-        CK_X9_42_DH2_DERIVE_PARAMS_PTR ckpParam;
-
-        ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
-        if (ckpParam == NULL) {
-            throwOutOfMemoryError(env, 0);
-            return;
-        }
-
-        /* convert jParameter to CKParameter */
-        *ckpParam = jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam);
-        if ((*env)->ExceptionCheck(env)) {
-            free(ckpParam);
-            return;
-        }
-
-        /* get length and pointer of parameter */
-        *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS);
-        *ckpParamPtr = ckpParam;
-        return;
-    }
-
-    /* if everything faild up to here */
-    /* try if the parameter is a primitive Java type */
-    jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength);
-    /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */
-    /* *ckpLength = 1; */
-
-    TRACE0("FINISHED\n");
+    return ckpParamPtr;
 }
 
-
 /* the mechanism parameter convertion functions: */
 
 /*
@@ -1573,47 +1477,45 @@
  * @param jParam - the Java CK_RSA_PKCS_OAEP_PARAMS object to convert
  * @return - the new CK_RSA_PKCS_OAEP_PARAMS structure
  */
-CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam)
+void jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam,
+CK_RSA_PKCS_OAEP_PARAMS_PTR ckParamPtr)
 {
     jclass jRsaPkcsOaepParamsClass;
-    CK_RSA_PKCS_OAEP_PARAMS ckParam;
     jfieldID fieldID;
     jlong jHashAlg, jMgf, jSource;
     jobject jSourceData;
     CK_BYTE_PTR ckpByte;
-    memset(&ckParam, 0, sizeof(CK_RSA_PKCS_OAEP_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_RSA_PKCS_OAEP_PARAMS));
 
     /* get hashAlg */
     jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS);
-    if (jRsaPkcsOaepParamsClass == NULL) { return ckParam; }
+    if (jRsaPkcsOaepParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "hashAlg", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jHashAlg = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get mgf */
     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "mgf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jMgf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get source */
     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "source", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSource = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get sourceData and sourceDataLength */
     fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "pSourceData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSourceData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.hashAlg = jLongToCKULong(jHashAlg);
-    ckParam.mgf = jLongToCKULong(jMgf);
-    ckParam.source = jLongToCKULong(jSource);
-    jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParam.ulSourceDataLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    ckParam.pSourceData = (CK_VOID_PTR) ckpByte;
-
-    return ckParam ;
+    ckParamPtr->hashAlg = jLongToCKULong(jHashAlg);
+    ckParamPtr->mgf = jLongToCKULong(jMgf);
+    ckParamPtr->source = jLongToCKULong(jSource);
+    jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParamPtr->ulSourceDataLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    ckParamPtr->pSourceData = (CK_VOID_PTR) ckpByte;
 }
 
 /*
@@ -1621,57 +1523,55 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_PBE_PARAMS object to convert
- * @return - the new CK_PBE_PARAMS structure
+ * @param ckParamPtr pointer to the new CK_PBE_PARAMS structure
  */
-CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam)
+void jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam,
+CK_PBE_PARAMS_PTR ckParamPtr)
 {
     jclass jPbeParamsClass;
-    CK_PBE_PARAMS ckParam;
     jfieldID fieldID;
     jlong jIteration;
     jobject jInitVector, jPassword, jSalt;
     CK_ULONG ckTemp;
-    memset(&ckParam, 0, sizeof(CK_PBE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_PBE_PARAMS));
 
     /* get pInitVector */
     jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
-    if (jPbeParamsClass == NULL) { return ckParam; }
+    if (jPbeParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jInitVector = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pPassword and ulPasswordLength */
     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPassword = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pSalt and ulSaltLength */
     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSalt = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get ulIteration */
     fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jIteration = (*env)->GetLongField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.ulIteration = jLongToCKULong(jIteration);
-    jCharArrayToCKCharArray(env, jInitVector, &(ckParam.pInitVector), &ckTemp);
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jCharArrayToCKCharArray(env, jPassword, &(ckParam.pPassword), &(ckParam.ulPasswordLen));
+    ckParamPtr->ulIteration = jLongToCKULong(jIteration);
+    jCharArrayToCKCharArray(env, jInitVector, &(ckParamPtr->pInitVector), &ckTemp);
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jCharArrayToCKCharArray(env, jPassword, &(ckParamPtr->pPassword), &(ckParamPtr->ulPasswordLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pInitVector);
-        return ckParam;
+        free(ckParamPtr->pInitVector);
+        return;
     }
-    jCharArrayToCKCharArray(env, jSalt, &(ckParam.pSalt), &(ckParam.ulSaltLen));
+    jCharArrayToCKCharArray(env, jSalt, &(ckParamPtr->pSalt), &(ckParamPtr->ulSaltLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pInitVector);
-        free(ckParam.pPassword);
-        return ckParam;
+        free(ckParamPtr->pInitVector);
+        free(ckParamPtr->pPassword);
+        return;
     }
-
-    return ckParam ;
 }
 
 /*
@@ -1741,57 +1641,55 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_PKCS5_PBKD2_PARAMS object to convert
- * @return - the new CK_PKCS5_PBKD2_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_PKCS5_PBKD2_PARAMS structure
  */
-CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam)
+void jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam,
+CK_PKCS5_PBKD2_PARAMS_PTR ckParamPtr)
 {
     jclass jPkcs5Pbkd2ParamsClass;
-    CK_PKCS5_PBKD2_PARAMS ckParam;
     jfieldID fieldID;
     jlong jSaltSource, jIteration, jPrf;
     jobject jSaltSourceData, jPrfData;
-    memset(&ckParam, 0, sizeof(CK_PKCS5_PBKD2_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_PKCS5_PBKD2_PARAMS));
 
     /* get saltSource */
     jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS);
-    if (jPkcs5Pbkd2ParamsClass == NULL) { return ckParam; }
+    if (jPkcs5Pbkd2ParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pSaltSourceData */
     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pSaltSourceData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSaltSourceData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get iterations */
     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "iterations", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jIteration = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get prf */
     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "prf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pPrfData and ulPrfDataLength in byte */
     fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.saltSource = jLongToCKULong(jSaltSource);
-    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    ckParam.iterations = jLongToCKULong(jIteration);
-    ckParam.prf = jLongToCKULong(jPrf);
-    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen));
+    ckParamPtr->saltSource = jLongToCKULong(jSaltSource);
+    jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParamPtr->pSaltSourceData), &(ckParamPtr->ulSaltSourceDataLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    ckParamPtr->iterations = jLongToCKULong(jIteration);
+    ckParamPtr->prf = jLongToCKULong(jPrf);
+    jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParamPtr->pPrfData), &(ckParamPtr->ulPrfDataLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSaltSourceData);
-        return ckParam;
+        free(ckParamPtr->pSaltSourceData);
+        return;
     }
-
-    return ckParam ;
 }
 
 /*
@@ -1799,39 +1697,40 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_RSA_PKCS_PSS_PARAMS object to convert
- * @return - the new CK_RSA_PKCS_PSS_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_RSA_PKCS_PSS_PARAMS structure
  */
-CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam)
+void jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam,
+CK_RSA_PKCS_PSS_PARAMS_PTR ckParamPtr)
 {
     jclass jRsaPkcsPssParamsClass;
-    CK_RSA_PKCS_PSS_PARAMS ckParam;
     jfieldID fieldID;
     jlong jHashAlg, jMgf, jSLen;
-    memset(&ckParam, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
 
     /* get hashAlg */
     jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS);
-    if (jRsaPkcsPssParamsClass == NULL) { return ckParam; }
+    if (jRsaPkcsPssParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "hashAlg", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jHashAlg = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get mgf */
     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "mgf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jMgf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get sLen */
     fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "sLen", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSLen = (*env)->GetLongField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.hashAlg = jLongToCKULong(jHashAlg);
-    ckParam.mgf = jLongToCKULong(jMgf);
-    ckParam.sLen = jLongToCKULong(jSLen);
-
-    return ckParam ;
+    ckParamPtr->hashAlg = jLongToCKULong(jHashAlg);
+    ckParamPtr->mgf = jLongToCKULong(jMgf);
+    ckParamPtr->sLen = jLongToCKULong(jSLen);
+    TRACE1("DEBUG: jRsaPkcsPssParamToCKRsaPkcsPssParam, hashAlg=0x%lX\n", ckParamPtr->hashAlg);
+    TRACE1("DEBUG: jRsaPkcsPssParamToCKRsaPkcsPssParam, mgf=0x%lX\n", ckParamPtr->mgf);
+    TRACE1("DEBUG: jRsaPkcsPssParamToCKRsaPkcsPssParam, sLen=%lu\n", ckParamPtr->sLen);
 }
 
 /*
@@ -1839,46 +1738,44 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_ECDH1_DERIVE_PARAMS object to convert
- * @return - the new CK_ECDH1_DERIVE_PARAMS structure
+ * @param ckParamPtr - the new CK_ECDH1_DERIVE_PARAMS structure
  */
-CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam)
+void jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam,
+CK_ECDH1_DERIVE_PARAMS_PTR ckParamPtr)
 {
     jclass jEcdh1DeriveParamsClass;
-    CK_ECDH1_DERIVE_PARAMS ckParam;
     jfieldID fieldID;
     jlong jLong;
     jobject jSharedData, jPublicData;
-    memset(&ckParam, 0, sizeof(CK_ECDH1_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_ECDH1_DERIVE_PARAMS));
 
     /* get kdf */
     jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS);
-    if (jEcdh1DeriveParamsClass == NULL) { return ckParam; }
+    if (jEcdh1DeriveParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "kdf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jLong = (*env)->GetLongField(env, jParam, fieldID);
-    ckParam.kdf = jLongToCKULong(jLong);
+    ckParamPtr->kdf = jLongToCKULong(jLong);
 
     /* get pSharedData and ulSharedDataLen */
     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pSharedData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSharedData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pPublicData and ulPublicDataLen */
     fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pPublicData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.kdf = jLongToCKULong(jLong);
-    jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
+    ckParamPtr->kdf = jLongToCKULong(jLong);
+    jByteArrayToCKByteArray(env, jSharedData, &(ckParamPtr->pSharedData), &(ckParamPtr->ulSharedDataLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jByteArrayToCKByteArray(env, jPublicData, &(ckParamPtr->pPublicData), &(ckParamPtr->ulPublicDataLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSharedData);
-        return ckParam;
+        free(ckParamPtr->pSharedData);
+        return;
     }
-
-    return ckParam ;
 }
 
 /*
@@ -1886,67 +1783,66 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_ECDH2_DERIVE_PARAMS object to convert
- * @return - the new CK_ECDH2_DERIVE_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_ECDH2_DERIVE_PARAMS structure
  */
-CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam)
+void jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam,
+CK_ECDH2_DERIVE_PARAMS_PTR ckParamPtr)
 {
     jclass jEcdh2DeriveParamsClass;
-    CK_ECDH2_DERIVE_PARAMS ckParam;
     jfieldID fieldID;
     jlong jKdf, jPrivateDataLen, jPrivateData;
     jobject jSharedData, jPublicData, jPublicData2;
-    memset(&ckParam, 0, sizeof(CK_ECDH2_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_ECDH2_DERIVE_PARAMS));
 
     /* get kdf */
     jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS);
-    if (jEcdh2DeriveParamsClass == NULL) { return ckParam; }
+    if (jEcdh2DeriveParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "kdf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jKdf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pSharedData and ulSharedDataLen */
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pSharedData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jSharedData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pPublicData and ulPublicDataLen */
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get ulPrivateDataLen */
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "ulPrivateDataLen", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get hPrivateData */
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "hPrivateData", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrivateData = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pPublicData2 and ulPublicDataLen2 */
     fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData2", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.kdf = jLongToCKULong(jKdf);
-    jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
+    ckParamPtr->kdf = jLongToCKULong(jKdf);
+    jByteArrayToCKByteArray(env, jSharedData, &(ckParamPtr->pSharedData), &(ckParamPtr->ulSharedDataLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jByteArrayToCKByteArray(env, jPublicData, &(ckParamPtr->pPublicData), &(ckParamPtr->ulPublicDataLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSharedData);
-        return ckParam;
+        free(ckParamPtr->pSharedData);
+        return;
     }
-    ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
-    ckParam.hPrivateData = jLongToCKULong(jPrivateData);
-    jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
+    ckParamPtr->ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
+    ckParamPtr->hPrivateData = jLongToCKULong(jPrivateData);
+    jByteArrayToCKByteArray(env, jPublicData2, &(ckParamPtr->pPublicData2), &(ckParamPtr->ulPublicDataLen2));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pSharedData);
-        free(ckParam.pPublicData);
-        return ckParam;
+        free(ckParamPtr->pSharedData);
+        free(ckParamPtr->pPublicData);
+        return;
     }
-    return ckParam ;
 }
 
 /*
@@ -1954,45 +1850,43 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_X9_42_DH1_DERIVE_PARAMS object to convert
- * @return - the new CK_X9_42_DH1_DERIVE_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_X9_42_DH1_DERIVE_PARAMS structure
  */
-CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam)
+void jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam,
+        CK_X9_42_DH1_DERIVE_PARAMS_PTR ckParamPtr)
 {
     jclass jX942Dh1DeriveParamsClass;
-    CK_X9_42_DH1_DERIVE_PARAMS ckParam;
     jfieldID fieldID;
     jlong jKdf;
     jobject jOtherInfo, jPublicData;
-    memset(&ckParam, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS));
 
     /* get kdf */
     jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS);
-    if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; }
+    if (jX942Dh1DeriveParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jKdf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pOtherInfo and ulOtherInfoLen */
     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pOtherInfo", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pPublicData and ulPublicDataLen */
     fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pPublicData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.kdf = jLongToCKULong(jKdf);
-    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
+    ckParamPtr->kdf = jLongToCKULong(jKdf);
+    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParamPtr->pOtherInfo), &(ckParamPtr->ulOtherInfoLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jByteArrayToCKByteArray(env, jPublicData, &(ckParamPtr->pPublicData), &(ckParamPtr->ulPublicDataLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pOtherInfo);
-        return ckParam;
+        free(ckParamPtr->pOtherInfo);
+        return;
     }
-
-    return ckParam ;
 }
 
 /*
@@ -2000,66 +1894,64 @@
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jParam - the Java CK_X9_42_DH2_DERIVE_PARAMS object to convert
- * @return - the new CK_X9_42_DH2_DERIVE_PARAMS structure
+ * @param ckParamPtr - pointer to the new CK_X9_42_DH2_DERIVE_PARAMS structure
  */
-CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam)
+void jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam,
+        CK_X9_42_DH2_DERIVE_PARAMS_PTR ckParamPtr)
 {
     jclass jX942Dh2DeriveParamsClass;
-    CK_X9_42_DH2_DERIVE_PARAMS ckParam;
     jfieldID fieldID;
     jlong jKdf, jPrivateDataLen, jPrivateData;
     jobject jOtherInfo, jPublicData, jPublicData2;
-    memset(&ckParam, 0, sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
+    memset(ckParamPtr, 0, sizeof(CK_X9_42_DH2_DERIVE_PARAMS));
 
     /* get kdf */
     jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS);
-    if (jX942Dh2DeriveParamsClass == NULL) { return ckParam; }
+    if (jX942Dh2DeriveParamsClass == NULL) { return; }
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "kdf", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jKdf = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pOtherInfo and ulOtherInfoLen */
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pOtherInfo", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get pPublicData and ulPublicDataLen */
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* get ulPrivateDataLen */
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "ulPrivateDataLen", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get hPrivateData */
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "hPrivateData", "J");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPrivateData = (*env)->GetLongField(env, jParam, fieldID);
 
     /* get pPublicData2 and ulPublicDataLen2 */
     fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData2", "[B");
-    if (fieldID == NULL) { return ckParam; }
+    if (fieldID == NULL) { return; }
     jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID);
 
     /* populate java values */
-    ckParam.kdf = jLongToCKULong(jKdf);
-    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen));
-    if ((*env)->ExceptionCheck(env)) { return ckParam; }
-    jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen));
+    ckParamPtr->kdf = jLongToCKULong(jKdf);
+    jByteArrayToCKByteArray(env, jOtherInfo, &(ckParamPtr->pOtherInfo), &(ckParamPtr->ulOtherInfoLen));
+    if ((*env)->ExceptionCheck(env)) { return; }
+    jByteArrayToCKByteArray(env, jPublicData, &(ckParamPtr->pPublicData), &(ckParamPtr->ulPublicDataLen));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pOtherInfo);
-        return ckParam;
+        free(ckParamPtr->pOtherInfo);
+        return;
     }
-    ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
-    ckParam.hPrivateData = jLongToCKULong(jPrivateData);
-    jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2));
+    ckParamPtr->ulPrivateDataLen = jLongToCKULong(jPrivateDataLen);
+    ckParamPtr->hPrivateData = jLongToCKULong(jPrivateData);
+    jByteArrayToCKByteArray(env, jPublicData2, &(ckParamPtr->pPublicData2), &(ckParamPtr->ulPublicDataLen2));
     if ((*env)->ExceptionCheck(env)) {
-        free(ckParam.pOtherInfo);
-        free(ckParam.pPublicData);
-        return ckParam;
+        free(ckParamPtr->pOtherInfo);
+        free(ckParamPtr->pPublicData);
+        return;
     }
-
-    return ckParam ;
 }
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -71,7 +71,7 @@
  jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
@@ -80,15 +80,14 @@
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
     ckKeyHandle = jLongToCKULong(jKeyHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
 
-    rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, &ckMechanism,
+    rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, ckpMechanism,
                                         ckKeyHandle);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+    // if OAEP, then cannot free here
+    freeCKMechanismPtr(ckpMechanism);
 
     if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
 }
@@ -98,54 +97,67 @@
 /*
  * Class:     sun_security_pkcs11_wrapper_PKCS11
  * Method:    C_Encrypt
- * Signature: (J[BII[BII)I
+ * Signature: (JJ[BIIJ[BII)I
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
+ * @param   jlong directIn              CK_BYTE_PTR pData
  * @param   jbyteArray jData            CK_BYTE_PTR pData
  *                                      CK_ULONG ulDataLen
- * @return  jbyteArray jEncryptedData   CK_BYTE_PTR pEncryptedData
+ * @param   jlong directOut             CK_BYTE_PTR pEncryptedData
+ * @return  jint encryptedDataLen       CK_BYTE_PTR pEncryptedData
  *                                      CK_ULONG_PTR pulEncryptedDataLen
  */
 JNIEXPORT jint JNICALL
 Java_sun_security_pkcs11_wrapper_PKCS11_C_1Encrypt
 (JNIEnv *env, jobject obj, jlong jSessionHandle,
- jbyteArray jIn, jint jInOfs, jint jInLen,
- jbyteArray jOut, jint jOutOfs, jint jOutLen)
+ jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen,
+ jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen)
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_RV rv;
 
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP;
-    CK_ULONG ckEncryptedPartLen;
+    CK_ULONG ckEncryptedLen = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
 
-    inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL);
-    if (inBufP == NULL) { return 0; }
-
-    outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
-    if (outBufP == NULL) {
-        // Make sure to release inBufP
-        (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-        return 0;
+    if (directIn != 0) {
+      inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn);
+    } else {
+      inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL);
+      if (inBufP == NULL) { return 0; }
     }
 
-    ckEncryptedPartLen = jOutLen;
+    if (directOut != 0) {
+      outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut);
+    } else {
+      outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
+      if (outBufP == NULL) {
+          goto cleanup;
+      }
+    }
+
+    ckEncryptedLen = jOutLen;
 
     rv = (*ckpFunctions->C_Encrypt)(ckSessionHandle,
                                     (CK_BYTE_PTR)(inBufP + jInOfs), jInLen,
                                     (CK_BYTE_PTR)(outBufP + jOutOfs),
-                                    &ckEncryptedPartLen);
-
-    (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-    (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
+                                    &ckEncryptedLen);
 
     ckAssertReturnValueOK(env, rv);
-    return ckEncryptedPartLen;
+
+cleanup:
+    if (directIn == 0 && inBufP != NULL) {
+        (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
+    }
+    if (directOut == 0 && outBufP != NULL) {
+        (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
+    }
+    return ckEncryptedLen;
 }
 #endif
 
@@ -172,7 +184,7 @@
 
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP;
-    CK_ULONG ckEncryptedPartLen;
+    CK_ULONG ckEncryptedPartLen = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
@@ -191,34 +203,26 @@
     } else {
       outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
       if (outBufP == NULL) {
-          // Make sure to release inBufP
-          (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-          return 0;
+          goto cleanup;
       }
     }
 
     ckEncryptedPartLen = jOutLen;
 
-    //printf("EU: inBufP=%i, jInOfs=%i, jInLen=%i, outBufP=%i\n",
-    //       inBufP, jInOfs, jInLen, outBufP);
-
     rv = (*ckpFunctions->C_EncryptUpdate)(ckSessionHandle,
                                           (CK_BYTE_PTR)(inBufP + jInOfs), jInLen,
                                           (CK_BYTE_PTR)(outBufP + jOutOfs),
                                           &ckEncryptedPartLen);
 
-    //printf("EU: ckEncryptedPartLen=%i\n", ckEncryptedPartLen);
+    ckAssertReturnValueOK(env, rv);
 
-    if (directIn == 0) {
+cleanup:
+    if (directIn == 0 && inBufP != NULL) {
         (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
     }
-
-    if (directOut == 0) {
+    if (directOut == 0 && outBufP != NULL) {
         (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
     }
-
-    ckAssertReturnValueOK(env, rv);
-
     return ckEncryptedPartLen;
 }
 #endif
@@ -257,14 +261,10 @@
 
     ckLastEncryptedPartLen = jOutLen;
 
-    //printf("EF: outBufP=%i\n", outBufP);
-
     rv = (*ckpFunctions->C_EncryptFinal)(ckSessionHandle,
                                          (CK_BYTE_PTR)(outBufP + jOutOfs),
                                          &ckLastEncryptedPartLen);
 
-    //printf("EF: ckLastEncryptedPartLen=%i", ckLastEncryptedPartLen);
-
     if (directOut == 0) {
         (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
     }
@@ -291,7 +291,7 @@
  jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
@@ -300,15 +300,14 @@
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
     ckKeyHandle = jLongToCKULong(jKeyHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
 
-    rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, &ckMechanism,
+    rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, ckpMechanism,
                                         ckKeyHandle);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+    // if OAEP, then cannot free here
+    freeCKMechanismPtr(ckpMechanism);
 
     if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
 }
@@ -318,7 +317,7 @@
 /*
  * Class:     sun_security_pkcs11_wrapper_PKCS11
  * Method:    C_Decrypt
- * Signature: (J[BII[BII)I
+ * Signature: (JJ[BIIJ[BII)I
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
  * @param   jbyteArray jEncryptedData   CK_BYTE_PTR pEncryptedData
@@ -329,44 +328,53 @@
 JNIEXPORT jint JNICALL
 Java_sun_security_pkcs11_wrapper_PKCS11_C_1Decrypt
 (JNIEnv *env, jobject obj, jlong jSessionHandle,
- jbyteArray jIn, jint jInOfs, jint jInLen,
- jbyteArray jOut, jint jOutOfs, jint jOutLen)
+ jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen,
+ jlong directOut, jbyteArray jOut, jint jOutOfs, jint jOutLen)
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_RV rv;
 
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP;
-    CK_ULONG ckPartLen;
+    CK_ULONG ckOutLen = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
 
-    inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL);
-    if (inBufP == NULL) { return 0; }
-
-    outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
-    if (outBufP == NULL) {
-        // Make sure to release inBufP
-        (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-        return 0;
+    if (directIn != 0) {
+      inBufP = (CK_BYTE_PTR) jlong_to_ptr(directIn);
+    } else {
+      inBufP = (*env)->GetPrimitiveArrayCritical(env, jIn, NULL);
+      if (inBufP == NULL) { return 0; }
     }
 
-    ckPartLen = jOutLen;
+    if (directOut != 0) {
+      outBufP = (CK_BYTE_PTR) jlong_to_ptr(directOut);
+    } else {
+      outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
+      if (outBufP == NULL) {
+          goto cleanup;
+      }
+    }
+    ckOutLen = jOutLen;
 
     rv = (*ckpFunctions->C_Decrypt)(ckSessionHandle,
                                     (CK_BYTE_PTR)(inBufP + jInOfs), jInLen,
                                     (CK_BYTE_PTR)(outBufP + jOutOfs),
-                                    &ckPartLen);
-
-    (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-    (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
+                                    &ckOutLen);
 
     ckAssertReturnValueOK(env, rv);
 
-    return ckPartLen;
+cleanup:
+    if (directIn == 0 && inBufP != NULL) {
+        (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
+    }
+    if (directOut == 0 && outBufP != NULL) {
+        (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
+    }
+    return ckOutLen;
 }
 #endif
 
@@ -393,7 +401,7 @@
 
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP;
-    CK_ULONG ckDecryptedPartLen;
+    CK_ULONG ckDecryptedPartLen = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
@@ -412,28 +420,24 @@
     } else {
       outBufP = (*env)->GetPrimitiveArrayCritical(env, jOut, NULL);
       if (outBufP == NULL) {
-          // Make sure to release inBufP
-          (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
-          return 0;
+          goto cleanup;
       }
     }
 
     ckDecryptedPartLen = jOutLen;
-
     rv = (*ckpFunctions->C_DecryptUpdate)(ckSessionHandle,
                                           (CK_BYTE_PTR)(inBufP + jInOfs), jInLen,
                                           (CK_BYTE_PTR)(outBufP + jOutOfs),
                                           &ckDecryptedPartLen);
-    if (directIn == 0) {
+    ckAssertReturnValueOK(env, rv);
+
+cleanup:
+    if (directIn == 0 && inBufP != NULL) {
         (*env)->ReleasePrimitiveArrayCritical(env, jIn, inBufP, JNI_ABORT);
     }
-
-    if (directOut == 0) {
+    if (directOut == 0 && outBufP != NULL) {
         (*env)->ReleasePrimitiveArrayCritical(env, jOut, outBufP, JNI_COMMIT);
     }
-
-    ckAssertReturnValueOK(env, rv);
-
     return ckDecryptedPartLen;
 }
 
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -68,21 +68,19 @@
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
 
-    rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism);
+    rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, ckpMechanism);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+    freeCKMechanismPtr(ckpMechanism);
 
     if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
 }
@@ -101,53 +99,50 @@
  *                                      CK_ULONG_PTR pulDigestLen
  */
 JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestSingle
-  (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen)
+    (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism,
+     jbyteArray jIn, jint jInOfs, jint jInLen, jbyteArray jDigest,
+     jint jDigestOfs, jint jDigestLen)
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_RV rv;
-    CK_BYTE_PTR bufP;
     CK_BYTE BUF[MAX_STACK_BUFFER_LEN];
+    CK_BYTE_PTR bufP = BUF;
     CK_BYTE DIGESTBUF[MAX_DIGEST_LEN];
-    CK_ULONG ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen);
-    CK_MECHANISM ckMechanism;
+    CK_ULONG ckDigestLength = 0;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return 0; }
 
-    rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism);
+    rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, ckpMechanism);
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { goto cleanup; }
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
-
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; }
-
-    if (jInLen <= MAX_STACK_BUFFER_LEN) {
-        bufP = BUF;
-    } else {
+    if (jInLen > MAX_STACK_BUFFER_LEN) {
         /* always use single part op, even for large data */
         bufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (bufP == NULL) {
             throwOutOfMemoryError(env, 0);
-            return 0;
+            goto cleanup;
         }
     }
 
     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)bufP);
     if ((*env)->ExceptionCheck(env)) {
-        if (bufP != BUF) { free(bufP); }
-        return 0;
+        goto cleanup;
     }
 
+    ckDigestLength = min(MAX_DIGEST_LEN, jDigestLen);
+
     rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength);
     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
         (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF);
     }
-
+cleanup:
+    freeCKMechanismPtr(ckpMechanism);
     if (bufP != BUF) { free(bufP); }
 
     return ckDigestLength;
@@ -165,7 +160,8 @@
  *                                      CK_ULONG ulDataLen
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestUpdate
-  (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn, jint jInOfs, jint jInLen)
+    (JNIEnv *env, jobject obj, jlong jSessionHandle, jlong directIn, jbyteArray jIn,
+     jint jInOfs, jint jInLen)
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_RV rv;
@@ -256,7 +252,8 @@
  *                                      CK_ULONG_PTR pulDigestLen
  */
 JNIEXPORT jint JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1DigestFinal
-  (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jDigest, jint jDigestOfs, jint jDigestLen)
+    (JNIEnv *env, jobject obj, jlong jSessionHandle, jbyteArray jDigest,
+     jint jDigestOfs, jint jDigestLen)
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_RV rv;
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c	Tue Jun 11 21:30:28 2019 +0000
@@ -67,6 +67,7 @@
 jfieldID pNativeDataID;
 jfieldID mech_mechanismID;
 jfieldID mech_pParameterID;
+jfieldID mech_pHandleID;
 
 jclass jByteArrayClass;
 jclass jLongClass;
@@ -85,6 +86,23 @@
 /* ************************************************************************** */
 
 /*
+ * This method is used to do free the memory allocated for CK_MECHANISM structure.
+ *
+ * Class:     sun_security_pkcs11_wrapper_PKCS11
+ * Method:    freeMechanism
+ * Signature: (J)J
+ */
+JNIEXPORT jlong JNICALL
+Java_sun_security_pkcs11_wrapper_PKCS11_freeMechanism
+(JNIEnv *env, jclass thisClass, jlong ckpMechanism) {
+    if (ckpMechanism != 0L) {
+        freeCKMechanismPtr((CK_MECHANISM_PTR) ckpMechanism);
+        TRACE1("DEBUG PKCS11_freeMechanism: free pMech = %x\n", (jlong)ckpMechanism);
+    }
+    return 0L;
+}
+
+/*
  * This method is used to do static initialization. This method is static and
  * synchronized. Summary: use this method like a static initialization block.
  *
@@ -115,11 +133,11 @@
 void prefetchFields(JNIEnv *env, jclass thisClass) {
     jclass tmpClass;
 
-    /* PKCS11 */
+    /* PKCS11 - pNativeData */
     pNativeDataID = (*env)->GetFieldID(env, thisClass, "pNativeData", "J");
     if (pNativeDataID == NULL) { return; }
 
-    /* CK_MECHANISM */
+    /* CK_MECHANISM - mechanism, pParameter, pHandle */
     tmpClass = (*env)->FindClass(env, CLASS_MECHANISM);
     if (tmpClass == NULL) { return; }
     mech_mechanismID = (*env)->GetFieldID(env, tmpClass, "mechanism", "J");
@@ -127,6 +145,10 @@
     mech_pParameterID = (*env)->GetFieldID(env, tmpClass, "pParameter",
                                            "Ljava/lang/Object;");
     if (mech_pParameterID == NULL) { return; }
+    mech_pHandleID = (*env)->GetFieldID(env, tmpClass, "pHandle", "J");
+    if (mech_pHandleID == NULL) { return; }
+
+    /* java classes for primitive types - byte[], long */
     jByteArrayClass = fetchClass(env, "[B");
     if (jByteArrayClass == NULL) { return; }
     jLongClass = fetchClass(env, "java/lang/Long");
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c	Tue Jun 11 21:30:28 2019 +0000
@@ -155,7 +155,7 @@
     jbyte* nativeKeyInfoArrayRawCkAttributes = NULL;
     jbyte* nativeKeyInfoArrayRawCkAttributesPtr = NULL;
     jbyte* nativeKeyInfoArrayRawDataPtr = NULL;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     char iv[16] = {0x0};
     CK_ULONG ckWrappedKeyLength = 0U;
     jbyte* wrappedKeySizeWrappedKeyArrayPtr = NULL;
@@ -310,8 +310,8 @@
         // Key is sensitive. Need to extract it wrapped.
         if (jWrappingKeyHandle != 0) {
 
-            jMechanismToCKMechanism(env, jWrappingMech, &ckMechanism);
-            rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism,
+            ckpMechanism = jMechanismToCKMechanismPtr(env, jWrappingMech);
+            rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, ckpMechanism,
                     jLongToCKULong(jWrappingKeyHandle), ckObjectHandle,
                     NULL_PTR, &ckWrappedKeyLength);
             if (ckWrappedKeyLength != 0) {
@@ -339,7 +339,7 @@
                 wrappedKeyBufferPtr =
                         (CK_BYTE_PTR) (wrappedKeySizeWrappedKeyArrayPtr +
                         sizeof(unsigned long));
-                rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism,
+                rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, ckpMechanism,
                         jLongToCKULong(jWrappingKeyHandle),ckObjectHandle,
                         wrappedKeyBufferPtr, &ckWrappedKeyLength);
                 if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
@@ -382,6 +382,7 @@
             && returnValue != nativeKeyInfoWrappedKeyArray) {
         (*env)->DeleteLocalRef(env, nativeKeyInfoWrappedKeyArray);
     }
+    freeCKMechanismPtr(ckpMechanism);
 
     return returnValue;
 }
@@ -417,7 +418,7 @@
     unsigned long totalDataSize = 0UL;
     jbyte* wrappedKeySizePtr = NULL;
     unsigned int i = 0U;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     char iv[16] = {0x0};
     CK_ULONG ckWrappedKeyLength = 0UL;
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
@@ -468,8 +469,8 @@
                 jLongToCKULong(nativeKeyInfoCkAttributesCount), &ckObjectHandle);
     } else {
         // Wrapped key
-        jMechanismToCKMechanism(env, jWrappingMech, &ckMechanism);
-        rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism,
+        ckpMechanism = jMechanismToCKMechanismPtr(env, jWrappingMech);
+        rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, ckpMechanism,
                 jLongToCKULong(jWrappingKeyHandle),
                 (CK_BYTE_PTR)(wrappedKeySizePtr + sizeof(unsigned long)),
                 ckWrappedKeyLength,
@@ -490,6 +491,7 @@
                 nativeKeyInfoArrayRaw, JNI_ABORT);
     }
 
+    freeCKMechanismPtr(ckpMechanism);
     return jObjectHandle;
 }
 #endif
@@ -510,9 +512,9 @@
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jobjectArray jTemplate)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-    CK_ULONG ckAttributesLength;
+    CK_ULONG ckAttributesLength = 0;
     CK_OBJECT_HANDLE ckKeyHandle = 0;
     jlong jKeyHandle = 0L;
     CK_RV rv;
@@ -521,24 +523,21 @@
     if (ckpFunctions == NULL) { return 0L; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return 0L ; }
 
     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        return 0L;
+        goto cleanup;
     }
 
-    rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, &ckMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle);
+    rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, ckpMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle);
 
     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
         jKeyHandle = ckULongToJLong(ckKeyHandle);
 
         /* cheack, if we must give a initialization vector back to Java */
-        switch (ckMechanism.mechanism) {
+        switch (ckpMechanism->mechanism) {
         case CKM_PBE_MD2_DES_CBC:
         case CKM_PBE_MD5_DES_CBC:
         case CKM_PBE_MD5_CAST_CBC:
@@ -548,14 +547,12 @@
         case CKM_PBE_SHA1_CAST128_CBC:
         /* case CKM_PBE_SHA1_CAST5_CBC: the same as CKM_PBE_SHA1_CAST128_CBC */
             /* we must copy back the initialization vector to the jMechanism object */
-            copyBackPBEInitializationVector(env, &ckMechanism, jMechanism);
+            copyBackPBEInitializationVector(env, ckpMechanism, jMechanism);
             break;
         }
     }
-
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+cleanup:
+    freeCKMechanismPtr(ckpMechanism);
     freeCKAttributeArray(ckpAttributes, ckAttributesLength);
 
     return jKeyHandle ;
@@ -582,14 +579,14 @@
      jobjectArray jPublicKeyTemplate, jobjectArray jPrivateKeyTemplate)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_ATTRIBUTE_PTR ckpPublicKeyAttributes = NULL_PTR;
     CK_ATTRIBUTE_PTR ckpPrivateKeyAttributes = NULL_PTR;
-    CK_ULONG ckPublicKeyAttributesLength;
-    CK_ULONG ckPrivateKeyAttributesLength;
+    CK_ULONG ckPublicKeyAttributesLength = 0;
+    CK_ULONG ckPrivateKeyAttributesLength = 0;
     CK_OBJECT_HANDLE_PTR ckpPublicKeyHandle;  /* pointer to Public Key */
     CK_OBJECT_HANDLE_PTR ckpPrivateKeyHandle; /* pointer to Private Key */
-    CK_OBJECT_HANDLE_PTR ckpKeyHandles;     /* pointer to array with Public and Private Key */
+    CK_OBJECT_HANDLE_PTR ckpKeyHandles = NULL; /* pointer to array with Public and Private Key */
     jlongArray jKeyHandles = NULL;
     CK_RV rv;
     int attempts;
@@ -599,37 +596,25 @@
     if (ckpFunctions == NULL) { return NULL; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return NULL; }
 
     ckpKeyHandles = (CK_OBJECT_HANDLE_PTR) malloc(2 * sizeof(CK_OBJECT_HANDLE));
     if (ckpKeyHandles == NULL) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
         throwOutOfMemoryError(env, 0);
-        return NULL;
+        goto cleanup;
     }
     ckpPublicKeyHandle = ckpKeyHandles;   /* first element of array is Public Key */
     ckpPrivateKeyHandle = (ckpKeyHandles + 1);  /* second element of array is Private Key */
 
     jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        free(ckpKeyHandles);
-        return NULL;
+        goto cleanup;
     }
 
     jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        free(ckpKeyHandles);
-        freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength);
-        return NULL;
+        goto cleanup;
     }
 
     /*
@@ -650,7 +635,7 @@
      * Call C_GenerateKeyPair() several times if CKR_FUNCTION_FAILED occurs.
      */
     for (attempts = 0; attempts < MAX_ATTEMPTS; attempts++) {
-        rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, &ckMechanism,
+        rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, ckpMechanism,
                         ckpPublicKeyAttributes, ckPublicKeyAttributesLength,
                         ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength,
                         ckpPublicKeyHandle, ckpPrivateKeyHandle);
@@ -666,13 +651,11 @@
         jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2);
     }
 
-    if(ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+cleanup:
+    freeCKMechanismPtr(ckpMechanism);
     free(ckpKeyHandles);
     freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength);
     freeCKAttributeArray(ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength);
-
     return jKeyHandles ;
 }
 #endif
@@ -694,7 +677,7 @@
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jWrappingKeyHandle, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckWrappingKeyHandle;
     CK_OBJECT_HANDLE ckKeyHandle;
     jbyteArray jWrappedKey = NULL;
@@ -707,33 +690,30 @@
     if (ckpFunctions == NULL) { return NULL; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return NULL; }
 
     ckWrappingKeyHandle = jLongToCKULong(jWrappingKeyHandle);
     ckKeyHandle = jLongToCKULong(jKeyHandle);
 
-    rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
+    rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, ckpMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
     if (rv == CKR_BUFFER_TOO_SMALL) {
         ckpWrappedKey = (CK_BYTE_PTR) malloc(ckWrappedKeyLength);
         if (ckpWrappedKey == NULL) {
-            if (ckMechanism.pParameter != NULL_PTR) {
-                free(ckMechanism.pParameter);
-            }
             throwOutOfMemoryError(env, 0);
-            return NULL;
+            goto cleanup;
         }
 
-        rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
+        rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, ckpMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength);
     }
     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
         jWrappedKey = ckByteArrayToJByteArray(env, ckpWrappedKey, ckWrappedKeyLength);
     }
 
+cleanup:
     if (ckpWrappedKey != BUF) { free(ckpWrappedKey); }
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+    freeCKMechanismPtr(ckpMechanism);
+
     return jWrappedKey ;
 }
 #endif
@@ -758,12 +738,12 @@
      jbyteArray jWrappedKey, jobjectArray jTemplate)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckUnwrappingKeyHandle;
     CK_BYTE_PTR ckpWrappedKey = NULL_PTR;
     CK_ULONG ckWrappedKeyLength;
     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-    CK_ULONG ckAttributesLength;
+    CK_ULONG ckAttributesLength = 0;
     CK_OBJECT_HANDLE ckKeyHandle = 0;
     jlong jKeyHandle = 0L;
     CK_RV rv;
@@ -772,29 +752,22 @@
     if (ckpFunctions == NULL) { return 0L; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return 0L; }
 
     ckUnwrappingKeyHandle = jLongToCKULong(jUnwrappingKeyHandle);
     jByteArrayToCKByteArray(env, jWrappedKey, &ckpWrappedKey, &ckWrappedKeyLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        return 0L;
+        goto cleanup;
     }
 
     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        free(ckpWrappedKey);
-        return 0L;
+        goto cleanup;
     }
 
 
-    rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism, ckUnwrappingKeyHandle,
+    rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, ckpMechanism, ckUnwrappingKeyHandle,
                  ckpWrappedKey, ckWrappedKeyLength,
                  ckpAttributes, ckAttributesLength, &ckKeyHandle);
 
@@ -803,16 +776,14 @@
 
 #if 0
         /* cheack, if we must give a initialization vector back to Java */
-        if (ckMechanism.mechanism == CKM_KEY_WRAP_SET_OAEP) {
+        if (ckpMechanism->mechanism == CKM_KEY_WRAP_SET_OAEP) {
             /* we must copy back the unwrapped key info to the jMechanism object */
-            copyBackSetUnwrappedKey(env, &ckMechanism, jMechanism);
+            copyBackSetUnwrappedKey(env, ckpMechanism, jMechanism);
         }
 #endif
     }
-
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
+cleanup:
+    freeCKMechanismPtr(ckpMechanism);
     freeCKAttributeArray(ckpAttributes, ckAttributesLength);
     free(ckpWrappedKey);
 
@@ -834,26 +805,27 @@
     }
 }
 
-void ssl3FreeMasterKeyDeriveParams(CK_MECHANISM_PTR ckMechanism) {
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS *params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckMechanism->pParameter;
+void ssl3FreeMasterKeyDeriveParams(CK_MECHANISM_PTR ckpMechanism) {
+    CK_SSL3_MASTER_KEY_DERIVE_PARAMS *params =
+            (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) ckpMechanism->pParameter;
     if (params == NULL) {
         return;
     }
     freeMasterKeyDeriveParams(&(params->RandomInfo), params->pVersion);
 }
 
-void tls12FreeMasterKeyDeriveParams(CK_MECHANISM_PTR ckMechanism) {
+void tls12FreeMasterKeyDeriveParams(CK_MECHANISM_PTR ckpMechanism) {
     CK_TLS12_MASTER_KEY_DERIVE_PARAMS *params =
-            (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)ckMechanism->pParameter;
+            (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)ckpMechanism->pParameter;
     if (params == NULL) {
         return;
     }
     freeMasterKeyDeriveParams(&(params->RandomInfo), params->pVersion);
 }
 
-void freeEcdh1DeriveParams(CK_MECHANISM_PTR ckMechanism) {
+void freeEcdh1DeriveParams(CK_MECHANISM_PTR ckpMechanism) {
     CK_ECDH1_DERIVE_PARAMS *params =
-            (CK_ECDH1_DERIVE_PARAMS *)ckMechanism->pParameter;
+            (CK_ECDH1_DERIVE_PARAMS *)ckpMechanism->pParameter;
     if (params == NULL) {
         return;
     }
@@ -869,7 +841,7 @@
 /*
  * Copy back the PRF output to Java.
  */
-void copyBackTLSPrfParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism)
+void copyBackTLSPrfParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism, jobject jMechanism)
 {
     jclass jMechanismClass, jTLSPrfParamsClass;
     CK_TLS_PRF_PARAMS *ckTLSPrfParams;
@@ -890,13 +862,13 @@
     if (fieldID == NULL) { return; }
     jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
     ckMechanismType = jLongToCKULong(jMechanismType);
-    if (ckMechanismType != ckMechanism->mechanism) {
+    if (ckMechanismType != ckpMechanism->mechanism) {
         /* we do not have maching types, this should not occur */
         return;
     }
 
     /* get the native CK_TLS_PRF_PARAMS */
-    ckTLSPrfParams = (CK_TLS_PRF_PARAMS *) ckMechanism->pParameter;
+    ckTLSPrfParams = (CK_TLS_PRF_PARAMS *) ckpMechanism->pParameter;
     if (ckTLSPrfParams != NULL_PTR) {
         /* get the Java CK_TLS_PRF_PARAMS object (pParameter) */
         fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;");
@@ -950,10 +922,10 @@
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jBaseKeyHandle, jobjectArray jTemplate)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckBaseKeyHandle;
     CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR;
-    CK_ULONG ckAttributesLength;
+    CK_ULONG ckAttributesLength = 0;
     CK_OBJECT_HANDLE ckKeyHandle = 0;
     jlong jKeyHandle = 0L;
     CK_RV rv;
@@ -963,19 +935,16 @@
     if (ckpFunctions == NULL) { return 0L; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return 0L; }
 
     ckBaseKeyHandle = jLongToCKULong(jBaseKeyHandle);
     jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength);
     if ((*env)->ExceptionCheck(env)) {
-        if (ckMechanism.pParameter != NULL_PTR) {
-            free(ckMechanism.pParameter);
-        }
-        return 0L;
+        goto cleanup;
     }
 
-    switch (ckMechanism.mechanism) {
+    switch (ckpMechanism->mechanism) {
     case CKM_SSL3_KEY_AND_MAC_DERIVE:
     case CKM_TLS_KEY_AND_MAC_DERIVE:
     case CKM_TLS12_KEY_AND_MAC_DERIVE:
@@ -989,60 +958,60 @@
         break;
     }
 
-    rv = (*ckpFunctions->C_DeriveKey)(ckSessionHandle, &ckMechanism, ckBaseKeyHandle,
+    rv = (*ckpFunctions->C_DeriveKey)(ckSessionHandle, ckpMechanism, ckBaseKeyHandle,
                  ckpAttributes, ckAttributesLength, phKey);
 
     jKeyHandle = ckLongToJLong(ckKeyHandle);
 
-    freeCKAttributeArray(ckpAttributes, ckAttributesLength);
-
-    switch (ckMechanism.mechanism) {
+    switch (ckpMechanism->mechanism) {
     case CKM_SSL3_MASTER_KEY_DERIVE:
     case CKM_TLS_MASTER_KEY_DERIVE:
         /* we must copy back the client version */
-        ssl3CopyBackClientVersion(env, &ckMechanism, jMechanism);
-        ssl3FreeMasterKeyDeriveParams(&ckMechanism);
+        ssl3CopyBackClientVersion(env, ckpMechanism, jMechanism);
+        ssl3FreeMasterKeyDeriveParams(ckpMechanism);
         break;
     case CKM_TLS12_MASTER_KEY_DERIVE:
-        tls12CopyBackClientVersion(env, &ckMechanism, jMechanism);
-        tls12FreeMasterKeyDeriveParams(&ckMechanism);
+        tls12CopyBackClientVersion(env, ckpMechanism, jMechanism);
+        tls12FreeMasterKeyDeriveParams(ckpMechanism);
         break;
     case CKM_SSL3_MASTER_KEY_DERIVE_DH:
     case CKM_TLS_MASTER_KEY_DERIVE_DH:
-        ssl3FreeMasterKeyDeriveParams(&ckMechanism);
+        ssl3FreeMasterKeyDeriveParams(ckpMechanism);
         break;
     case CKM_TLS12_MASTER_KEY_DERIVE_DH:
-        tls12FreeMasterKeyDeriveParams(&ckMechanism);
+        tls12FreeMasterKeyDeriveParams(ckpMechanism);
         break;
     case CKM_SSL3_KEY_AND_MAC_DERIVE:
     case CKM_TLS_KEY_AND_MAC_DERIVE:
         /* we must copy back the unwrapped key info to the jMechanism object */
-        ssl3CopyBackKeyMatParams(env, &ckMechanism, jMechanism);
+        ssl3CopyBackKeyMatParams(env, ckpMechanism, jMechanism);
         break;
     case CKM_TLS12_KEY_AND_MAC_DERIVE:
         /* we must copy back the unwrapped key info to the jMechanism object */
-        tls12CopyBackKeyMatParams(env, &ckMechanism, jMechanism);
+        tls12CopyBackKeyMatParams(env, ckpMechanism, jMechanism);
         break;
     case CKM_TLS_PRF:
-        copyBackTLSPrfParams(env, &ckMechanism, jMechanism);
+        copyBackTLSPrfParams(env, ckpMechanism, jMechanism);
         break;
     case CKM_ECDH1_DERIVE:
-        freeEcdh1DeriveParams(&ckMechanism);
+        freeEcdh1DeriveParams(ckpMechanism);
         break;
     default:
         // empty
         break;
     }
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
+        jKeyHandle =0L;
+    }
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
-    }
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; }
+cleanup:
+    freeCKMechanismPtr(ckpMechanism);
+    freeCKAttributeArray(ckpAttributes, ckAttributesLength);
 
     return jKeyHandle ;
 }
 
-static void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism,
+static void copyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism, jobject jMechanism,
         CK_VERSION *ckVersion, const char *class_master_key_derive_params)
 {
     jclass jMasterKeyDeriveParamsClass, jMechanismClass, jVersionClass;
@@ -1059,7 +1028,7 @@
     if (fieldID == NULL) { return; }
     jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
     ckMechanismType = jLongToCKULong(jMechanismType);
-    if (ckMechanismType != ckMechanism->mechanism) {
+    if (ckMechanismType != ckpMechanism->mechanism) {
         /* we do not have maching types, this should not occur */
         return;
     }
@@ -1102,14 +1071,14 @@
  * mechanisms when used for deriving a key.
  *
  */
-void ssl3CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism,
+void ssl3CopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
         jobject jMechanism)
 {
     CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ckSSL3MasterKeyDeriveParams;
     ckSSL3MasterKeyDeriveParams =
-            (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)ckMechanism->pParameter;
+            (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)ckpMechanism->pParameter;
     if (ckSSL3MasterKeyDeriveParams != NULL_PTR) {
-        copyBackClientVersion(env, ckMechanism, jMechanism,
+        copyBackClientVersion(env, ckpMechanism, jMechanism,
                 ckSSL3MasterKeyDeriveParams->pVersion,
                 CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS);
     }
@@ -1121,20 +1090,20 @@
  * CKM_TLS12_MASTER_KEY_DERIVE mechanism when used for deriving a key.
  *
  */
-void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism,
+void tls12CopyBackClientVersion(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
         jobject jMechanism)
 {
     CK_TLS12_MASTER_KEY_DERIVE_PARAMS *ckTLS12MasterKeyDeriveParams;
     ckTLS12MasterKeyDeriveParams =
-            (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)ckMechanism->pParameter;
+            (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)ckpMechanism->pParameter;
     if (ckTLS12MasterKeyDeriveParams != NULL_PTR) {
-        copyBackClientVersion(env, ckMechanism, jMechanism,
+        copyBackClientVersion(env, ckpMechanism, jMechanism,
                 ckTLS12MasterKeyDeriveParams->pVersion,
                 CLASS_TLS12_MASTER_KEY_DERIVE_PARAMS);
     }
 }
 
-static void copyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism,
+static void copyBackKeyMatParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
         jobject jMechanism, CK_SSL3_RANDOM_DATA *RandomInfo,
         CK_SSL3_KEY_MAT_OUT_PTR ckSSL3KeyMatOut, const char *class_key_mat_params)
 {
@@ -1157,7 +1126,7 @@
     if (fieldID == NULL) { return; }
     jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID);
     ckMechanismType = jLongToCKULong(jMechanismType);
-    if (ckMechanismType != ckMechanism->mechanism) {
+    if (ckMechanismType != ckpMechanism->mechanism) {
         /* we do not have maching types, this should not occur */
         return;
     }
@@ -1264,13 +1233,13 @@
  * when used for deriving a key.
  *
  */
-void ssl3CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism,
+void ssl3CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
         jobject jMechanism)
 {
     CK_SSL3_KEY_MAT_PARAMS *ckSSL3KeyMatParam;
-    ckSSL3KeyMatParam = (CK_SSL3_KEY_MAT_PARAMS *)ckMechanism->pParameter;
+    ckSSL3KeyMatParam = (CK_SSL3_KEY_MAT_PARAMS *)ckpMechanism->pParameter;
     if (ckSSL3KeyMatParam != NULL_PTR) {
-        copyBackKeyMatParams(env, ckMechanism, jMechanism,
+        copyBackKeyMatParams(env, ckpMechanism, jMechanism,
                 &(ckSSL3KeyMatParam->RandomInfo),
                 ckSSL3KeyMatParam->pReturnedKeyMaterial,
                 CLASS_SSL3_KEY_MAT_PARAMS);
@@ -1283,13 +1252,13 @@
  * CKM_TLS12_KEY_AND_MAC_DERIVE mechanism when used for deriving a key.
  *
  */
-void tls12CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism,
+void tls12CopyBackKeyMatParams(JNIEnv *env, CK_MECHANISM_PTR ckpMechanism,
         jobject jMechanism)
 {
     CK_TLS12_KEY_MAT_PARAMS *ckTLS12KeyMatParam;
-    ckTLS12KeyMatParam = (CK_TLS12_KEY_MAT_PARAMS *) ckMechanism->pParameter;
+    ckTLS12KeyMatParam = (CK_TLS12_KEY_MAT_PARAMS *)ckpMechanism->pParameter;
     if (ckTLS12KeyMatParam != NULL_PTR) {
-        copyBackKeyMatParams(env, ckMechanism, jMechanism,
+        copyBackKeyMatParams(env, ckpMechanism, jMechanism,
                 &(ckTLS12KeyMatParam->RandomInfo),
                 ckTLS12KeyMatParam->pReturnedKeyMaterial,
                 CLASS_TLS12_KEY_MAT_PARAMS);
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -181,7 +181,7 @@
     jReserved = (*env)->GetObjectField(env, jInitArgs, fieldID);
 
     /* we try to convert the reserved parameter also */
-    jObjectToPrimitiveCKObjectPtrPtr(env, jReserved, &(ckpInitArgs->pReserved), &ckReservedLength);
+    ckpInitArgs->pReserved = jObjectToPrimitiveCKObjectPtr(env, jReserved, &ckReservedLength);
 
     return ckpInitArgs ;
 }
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -63,31 +63,38 @@
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
  * @param   jobject jMechanism          CK_MECHANISM_PTR pMechanism
- * @return  jlong jKeyHandle            CK_OBJECT_HANDLE hKey
+ * @param   jlong jKeyHandle            CK_OBJECT_HANDLE hKey
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignInit
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
+    TRACE0("DEBUG: C_SignInit\n");
+
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
+
     ckKeyHandle = jLongToCKULong(jKeyHandle);
 
-    rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
+    rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, ckpMechanism, ckKeyHandle);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK ||
+            (ckpMechanism->pParameter == NULL)) {
+        freeCKMechanismPtr(ckpMechanism);
+    } else {
+        (*env)->SetLongField(env, jMechanism, mech_pHandleID, (jlong)ckpMechanism);
+        TRACE1("DEBUG C_SignInit: stored pMech = 0x%lX\n", (jlong)ckpMechanism);
     }
-
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    TRACE0("FINISHED\n");
 }
 #endif
 
@@ -95,7 +102,7 @@
 /*
  * Class:     sun_security_pkcs11_wrapper_PKCS11
  * Method:    C_Sign
- * Signature: (J[B)[B
+ * Signature: (J[BI)[B
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
  * @param   jbyteArray jData            CK_BYTE_PTR pData
@@ -108,69 +115,45 @@
 {
     CK_SESSION_HANDLE ckSessionHandle;
     CK_BYTE_PTR ckpData = NULL_PTR;
-    CK_BYTE_PTR ckpSignature;
     CK_ULONG ckDataLength;
-    CK_ULONG ckSignatureLength = 0;
+    CK_BYTE_PTR bufP;
+    CK_ULONG ckSignatureLength;
+    CK_BYTE BUF[MAX_STACK_BUFFER_LEN];
     jbyteArray jSignature = NULL;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return NULL; }
 
+    TRACE0("DEBUG: C_Sign\n");
+
     ckSessionHandle = jLongToCKULong(jSessionHandle);
     jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength);
-    if ((*env)->ExceptionCheck(env)) { return NULL; }
-
-    /* START standard code */
-
-    /* first determine the length of the signature */
-    rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, NULL_PTR, &ckSignatureLength);
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-        free(ckpData);
+    if ((*env)->ExceptionCheck(env)) {
         return NULL;
     }
 
-    ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
-    if (ckpSignature == NULL) {
-        free(ckpData);
-        throwOutOfMemoryError(env, 0);
-        return NULL;
+    TRACE1("DEBUG C_Sign: data length = %lu\n", ckDataLength);
+
+    // unknown signature length
+    bufP = BUF;
+    ckSignatureLength = MAX_STACK_BUFFER_LEN;
+
+    rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength,
+        bufP, &ckSignatureLength);
+
+    TRACE1("DEBUG C_Sign: ret rv=0x%lX\n", rv);
+
+    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
+        jSignature = ckByteArrayToJByteArray(env, bufP, ckSignatureLength);
+        TRACE1("DEBUG C_Sign: signature length = %lu\n", ckSignatureLength);
     }
 
-    /* now get the signature */
-    rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
- /* END standard code */
+    free(ckpData);
+    if (bufP != BUF) { free(bufP); }
 
-
-    /* START workaround code for operation abort bug in pkcs#11 of Datakey and iButton */
-/*
-    ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE));
-    if (ckpSignature == NULL) {
-        free(ckpData);
-        throwOutOfMemoryError(env, 0);
-        return NULL;
-    }
-    rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
-
-    if (rv == CKR_BUFFER_TOO_SMALL) {
-        free(ckpSignature);
-        ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE));
-        if (ckpSignature == NULL) {
-            free(ckpData);
-            throwOutOfMemoryError(env, 0);
-            return NULL;
-        }
-        rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength);
-    }
- */
-    /* END workaround code */
-    if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
-        jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength);
-    }
-    free(ckpData);
-    free(ckpSignature);
-
-    return jSignature ;
+    TRACE0("FINISHED\n");
+    return jSignature;
 }
 #endif
 
@@ -220,21 +203,20 @@
         jsize chunkLen = min(bufLen, jInLen);
         (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP);
         if ((*env)->ExceptionCheck(env)) {
-            if (bufP != BUF) { free(bufP); }
-            return;
+            goto cleanup;
         }
         rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, bufP, chunkLen);
         if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-            if (bufP != BUF) {
-                free(bufP);
-            }
-            return;
+            goto cleanup;
         }
         jInOfs += chunkLen;
         jInLen -= chunkLen;
     }
 
+cleanup:
     if (bufP != BUF) { free(bufP); }
+
+    return;
 }
 #endif
 
@@ -294,32 +276,37 @@
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
  * @param   jobject jMechanism          CK_MECHANISM_PTR pMechanism
- * @return  jlong jKeyHandle            CK_OBJECT_HANDLE hKey
+ * @param   jlong jKeyHandle            CK_OBJECT_HANDLE hKey
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1SignRecoverInit
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
+    TRACE0("DEBUG: C_SignRecoverInit\n");
+
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
 
     ckKeyHandle = jLongToCKULong(jKeyHandle);
 
-    rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
+    rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, ckpMechanism, ckKeyHandle);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK ||
+            (ckpMechanism->pParameter == NULL)) {
+        freeCKMechanismPtr(ckpMechanism);
+    } else {
+        (*env)->SetLongField(env, jMechanism, mech_pHandleID, (jlong)ckpMechanism);
+        TRACE1("DEBUG C_SignRecoverInit, stored pMech = 0x%lX\n", (jlong)ckpMechanism);
     }
-
-    if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    TRACE0("FINISHED\n");
 }
 #endif
 
@@ -344,7 +331,7 @@
     CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN];
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP = OUTBUF;
-    CK_ULONG ckSignatureLength = MAX_STACK_BUFFER_LEN;
+    CK_ULONG ckSignatureLength = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
@@ -353,36 +340,35 @@
 
     if (jInLen <= MAX_STACK_BUFFER_LEN) {
         inBufP = INBUF;
+        ckSignatureLength = MAX_STACK_BUFFER_LEN;
     } else {
         inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (inBufP == NULL) {
             throwOutOfMemoryError(env, 0);
             return 0;
         }
+        ckSignatureLength = jInLen;
     }
 
     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
     if ((*env)->ExceptionCheck(env)) {
-        if (inBufP != INBUF) { free(inBufP); }
-        return 0;
+        goto cleanup;
     }
+
     rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength);
     /* re-alloc larger buffer if it fits into our Java buffer */
     if ((rv == CKR_BUFFER_TOO_SMALL) && (ckSignatureLength <= jIntToCKULong(jOutLen))) {
         outBufP = (CK_BYTE_PTR) malloc(ckSignatureLength);
         if (outBufP == NULL) {
-            if (inBufP != INBUF) {
-                free(inBufP);
-            }
             throwOutOfMemoryError(env, 0);
-            return 0;
+            goto cleanup;
         }
         rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength);
     }
     if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) {
         (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckSignatureLength, (jbyte *)outBufP);
     }
-
+cleanup:
     if (inBufP != INBUF) { free(inBufP); }
     if (outBufP != OUTBUF) { free(outBufP); }
 
@@ -398,32 +384,39 @@
  * Parametermapping:                    *PKCS11*
  * @param   jlong jSessionHandle        CK_SESSION_HANDLE hSession
  * @param   jobject jMechanism          CK_MECHANISM_PTR pMechanism
- * @return  jlong jKeyHandle            CK_OBJECT_HANDLE hKey
+ * @param   jlong jKeyHandle            CK_OBJECT_HANDLE hKey
  */
 JNIEXPORT void JNICALL Java_sun_security_pkcs11_wrapper_PKCS11_C_1VerifyInit
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
+    TRACE0("DEBUG: C_VerifyInit\n");
+
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
-    if ((*env)->ExceptionCheck(env)) { return; }
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
+    if ((*env)->ExceptionCheck(env)) {
+        return;
+    }
 
     ckKeyHandle = jLongToCKULong(jKeyHandle);
 
-    rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
+    rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, ckpMechanism, ckKeyHandle);
 
-    if(ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK ||
+            (ckpMechanism->pParameter == NULL)) {
+        freeCKMechanismPtr(ckpMechanism);
+    } else {
+        (*env)->SetLongField(env, jMechanism, mech_pHandleID, (jlong)ckpMechanism);
+        TRACE1("DEBUG C_VerifyInit: stored pMech = 0x%lX\n", (jlong)ckpMechanism);
     }
-
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    TRACE0("FINISHED\n");
 }
 #endif
 
@@ -447,28 +440,31 @@
     CK_BYTE_PTR ckpSignature = NULL_PTR;
     CK_ULONG ckDataLength;
     CK_ULONG ckSignatureLength;
-    CK_RV rv;
+    CK_RV rv = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
+
     jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength);
-    if ((*env)->ExceptionCheck(env)) { return; }
+    if ((*env)->ExceptionCheck(env)) {
+        return;
+    }
 
     jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength);
     if ((*env)->ExceptionCheck(env)) {
-        free(ckpData);
-        return;
+        goto cleanup;
     }
 
     /* verify the signature */
     rv = (*ckpFunctions->C_Verify)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, ckSignatureLength);
 
+cleanup:
     free(ckpData);
     free(ckpSignature);
 
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    ckAssertReturnValueOK(env, rv);
 }
 #endif
 
@@ -510,7 +506,7 @@
         bufP = (CK_BYTE_PTR) malloc((size_t)bufLen);
         if (bufP == NULL) {
             throwOutOfMemoryError(env, 0);
-            return;
+            goto cleanup;
         }
     }
 
@@ -518,19 +514,18 @@
         jsize chunkLen = min(bufLen, jInLen);
         (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP);
         if ((*env)->ExceptionCheck(env)) {
-            if (bufP != BUF) { free(bufP); }
-            return;
+            goto cleanup;
         }
 
         rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, bufP, chunkLen);
         if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) {
-            if (bufP != BUF) { free(bufP); }
-            return;
+            goto cleanup;
         }
         jInOfs += chunkLen;
         jInLen -= chunkLen;
     }
 
+cleanup:
     if (bufP != BUF) { free(bufP); }
 }
 #endif
@@ -558,14 +553,16 @@
 
     ckSessionHandle = jLongToCKULong(jSessionHandle);
     jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength);
-    if ((*env)->ExceptionCheck(env)) { return; }
+    if ((*env)->ExceptionCheck(env)) {
+        return;
+    }
 
     /* verify the signature */
     rv = (*ckpFunctions->C_VerifyFinal)(ckSessionHandle, ckpSignature, ckSignatureLength);
 
     free(ckpSignature);
 
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    ckAssertReturnValueOK(env, rv);
 }
 #endif
 
@@ -583,26 +580,31 @@
     (JNIEnv *env, jobject obj, jlong jSessionHandle, jobject jMechanism, jlong jKeyHandle)
 {
     CK_SESSION_HANDLE ckSessionHandle;
-    CK_MECHANISM ckMechanism;
+    CK_MECHANISM_PTR ckpMechanism = NULL;
     CK_OBJECT_HANDLE ckKeyHandle;
     CK_RV rv;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return; }
 
+    TRACE0("DEBUG: C_VerifyRecoverInit\n");
+
     ckSessionHandle = jLongToCKULong(jSessionHandle);
-    jMechanismToCKMechanism(env, jMechanism, &ckMechanism);
+    ckpMechanism = jMechanismToCKMechanismPtr(env, jMechanism);
     if ((*env)->ExceptionCheck(env)) { return; }
 
     ckKeyHandle = jLongToCKULong(jKeyHandle);
 
-    rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle);
+    rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, ckpMechanism, ckKeyHandle);
 
-    if (ckMechanism.pParameter != NULL_PTR) {
-        free(ckMechanism.pParameter);
+    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK ||
+            (ckpMechanism->pParameter == NULL)) {
+        freeCKMechanismPtr(ckpMechanism);
+    } else {
+        (*env)->SetLongField(env, jMechanism, mech_pHandleID, (jlong)ckpMechanism);
+        TRACE1("DEBUG C_VerifyRecoverInit: stored pMech = 0x%lX\n", (jlong)ckpMechanism);
     }
-
-    if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; }
+    TRACE0("FINISHED\n");
 }
 #endif
 
@@ -627,7 +629,7 @@
     CK_BYTE OUTBUF[MAX_STACK_BUFFER_LEN];
     CK_BYTE_PTR inBufP;
     CK_BYTE_PTR outBufP = OUTBUF;
-    CK_ULONG ckDataLength = MAX_STACK_BUFFER_LEN;
+    CK_ULONG ckDataLength = 0;
 
     CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj);
     if (ckpFunctions == NULL) { return 0; }
@@ -636,18 +638,19 @@
 
     if (jInLen <= MAX_STACK_BUFFER_LEN) {
         inBufP = INBUF;
+        ckDataLength = MAX_STACK_BUFFER_LEN;
     } else {
         inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen);
         if (inBufP == NULL) {
             throwOutOfMemoryError(env, 0);
             return 0;
         }
+        ckDataLength = jInLen;
     }
 
     (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP);
     if ((*env)->ExceptionCheck(env)) {
-        if (inBufP != INBUF) { free(inBufP); }
-        return 0;
+        goto cleanup;
     }
 
     rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength);
@@ -656,9 +659,8 @@
     if ((rv == CKR_BUFFER_TOO_SMALL) && (ckDataLength <= jIntToCKULong(jOutLen))) {
         outBufP = (CK_BYTE_PTR) malloc(ckDataLength);
         if (outBufP == NULL) {
-            if (inBufP != INBUF) { free(inBufP); }
             throwOutOfMemoryError(env, 0);
-            return 0;
+            goto cleanup;
         }
         rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength);
     }
@@ -666,6 +668,7 @@
         (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckDataLength, (jbyte *)outBufP);
     }
 
+cleanup:
     if (inBufP != INBUF) { free(inBufP); }
     if (outBufP != OUTBUF) { free(outBufP); }
 
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c	Tue Jun 11 21:30:28 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  */
 
 /* Copyright  (c) 2002 Graz University of Technology. All rights reserved.
@@ -277,16 +277,32 @@
  * @param attrPtr pointer to the to-be-freed CK_ATTRIBUTE array.
  * @param len the length of the array
  */
-void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len)
-{
-    int i;
+void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len) {
+    if (attrPtr != NULL) {
+        int i;
+        for (i=0; i<len; i++) {
+            if (attrPtr[i].pValue != NULL_PTR) {
+                free(attrPtr[i].pValue);
+            }
+        }
+        free(attrPtr);
+    }
+}
 
-    for (i=0; i<len; i++) {
-        if (attrPtr[i].pValue != NULL_PTR) {
-            free(attrPtr[i].pValue);
-        }
-    }
-    free(attrPtr);
+/* This function frees the specified CK_MECHANISM_PTR pointer and its
+ * pParameter. NOTE: mechanism-specific memory allocations have to be
+ * freed before this call as this method only frees the generic
+ * memory associated with CK_MECHANISM structure.
+ *
+ * @param mechPtr pointer to the to-be-freed CK_MECHANISM structure.
+ */
+
+void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
+     if (mechPtr != NULL) {
+         TRACE1("DEBUG: free CK_MECHANISM %x", mechPtr);
+         free(mechPtr->pParameter);
+         free(mechPtr);
+     }
 }
 
 /*
@@ -964,165 +980,164 @@
 
 /*
  * converts a Java object into a pointer to CK-type or a CK-structure with the length in Bytes.
- * The memory of *ckpObjectPtr to be freed after use! This function is only used by
- * jAttributeToCKAttribute by now.
+ * The memory of the returned pointer MUST BE FREED BY CALLER!
  *
  * @param env - used to call JNI funktions to get the Java classes and objects
  * @param jObject - the Java object to convert
- * @param ckpObjectPtr - the reference of the new pointer to the new CK-value or CK-structure
- * @param ckpLength - the reference of the length in bytes of the new CK-value or CK-structure
+ * @param ckpLength - pointer to the length (bytes) of the newly-allocated CK-value or CK-structure
+ * @return ckpObject - pointer to the newly-allocated CK-value or CK-structure
  */
-void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *ckpLength)
+CK_VOID_PTR jObjectToPrimitiveCKObjectPtr(JNIEnv *env, jobject jObject, CK_ULONG *ckpLength)
 {
     jclass jLongClass, jBooleanClass, jByteArrayClass, jCharArrayClass;
     jclass jByteClass, jDateClass, jCharacterClass, jIntegerClass;
     jclass jBooleanArrayClass, jIntArrayClass, jLongArrayClass;
     jclass jStringClass;
     jclass jObjectClass, jClassClass;
-    CK_VOID_PTR ckpVoid = *ckpObjectPtr;
+    CK_VOID_PTR ckpObject;
     jmethodID jMethod;
     jobject jClassObject;
     jstring jClassNameString;
     char *classNameString, *exceptionMsgPrefix, *exceptionMsg;
 
-    TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtrPtr");
+    TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtr");
     if (jObject == NULL) {
-        *ckpObjectPtr = NULL;
         *ckpLength = 0;
-        return;
+        return NULL;
     }
 
     jLongClass = (*env)->FindClass(env, "java/lang/Long");
-    if (jLongClass == NULL) { return; }
+    if (jLongClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jLongClass)) {
-        *ckpObjectPtr = jLongObjectToCKULongPtr(env, jObject);
+        ckpObject = jLongObjectToCKULongPtr(env, jObject);
         *ckpLength = sizeof(CK_ULONG);
-        TRACE1("<converted long value %X>", *((CK_ULONG *) *ckpObjectPtr));
-        return;
+        TRACE1("<converted long value %X>", *((CK_ULONG *) ckpObject));
+        return ckpObject;
     }
 
     jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean");
-    if (jBooleanClass == NULL) { return; }
+    if (jBooleanClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) {
-        *ckpObjectPtr = jBooleanObjectToCKBBoolPtr(env, jObject);
+        ckpObject = jBooleanObjectToCKBBoolPtr(env, jObject);
         *ckpLength = sizeof(CK_BBOOL);
         TRACE0(" <converted boolean value ");
-        TRACE0((*((CK_BBOOL *) *ckpObjectPtr) == TRUE) ? "TRUE>" : "FALSE>");
-        return;
+        TRACE0((*((CK_BBOOL *) ckpObjectPtr) == TRUE) ? "TRUE>" : "FALSE>");
+        return ckpObject;
     }
 
     jByteArrayClass = (*env)->FindClass(env, "[B");
-    if (jByteArrayClass == NULL) { return; }
+    if (jByteArrayClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) {
-        jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*)ckpObjectPtr, ckpLength);
-        return;
+        jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     jCharArrayClass = (*env)->FindClass(env, "[C");
-    if (jCharArrayClass == NULL) { return; }
+    if (jCharArrayClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) {
-        jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength);
-        return;
+        jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     jByteClass = (*env)->FindClass(env, "java/lang/Byte");
-    if (jByteClass == NULL) { return; }
+    if (jByteClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jByteClass)) {
-        *ckpObjectPtr = jByteObjectToCKBytePtr(env, jObject);
+        ckpObject = jByteObjectToCKBytePtr(env, jObject);
         *ckpLength = sizeof(CK_BYTE);
-        TRACE1("<converted byte value %X>", *((CK_BYTE *) *ckpObjectPtr));
-        return;
+        TRACE1("<converted byte value %X>", *((CK_BYTE *) ckpObject));
+        return ckpObject;
     }
 
     jDateClass = (*env)->FindClass(env, CLASS_DATE);
-    if (jDateClass == NULL) { return; }
+    if (jDateClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jDateClass)) {
-        *ckpObjectPtr = jDateObjectPtrToCKDatePtr(env, jObject);
+        ckpObject = jDateObjectPtrToCKDatePtr(env, jObject);
         *ckpLength = sizeof(CK_DATE);
-        TRACE3("<converted date value %.4s-%.2s-%.2s>", (*((CK_DATE *) *ckpObjectPtr)).year, (*((CK_DATE *) *ckpObjectPtr)).month, (*((CK_DATE *) *ckpObjectPtr)).day);
-        return;
+        TRACE3("<converted date value %.4s-%.2s-%.2s>", ((CK_DATE *) ckpObject)->year,
+                ((CK_DATE *) ckpObject)->month, ((CK_DATE *) ckpObject)->day);
+        return ckpObject;
     }
 
     jCharacterClass = (*env)->FindClass(env, "java/lang/Character");
-    if (jCharacterClass == NULL) { return; }
+    if (jCharacterClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) {
-        *ckpObjectPtr = jCharObjectToCKCharPtr(env, jObject);
+        ckpObject = jCharObjectToCKCharPtr(env, jObject);
         *ckpLength = sizeof(CK_UTF8CHAR);
-        TRACE1("<converted char value %c>", *((CK_CHAR *) *ckpObjectPtr));
-        return;
+        TRACE1("<converted char value %c>", *((CK_CHAR *) ckpObject));
+        return ckpObject;
     }
 
     jIntegerClass = (*env)->FindClass(env, "java/lang/Integer");
-    if (jIntegerClass == NULL) { return; }
+    if (jIntegerClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) {
-        *ckpObjectPtr = jIntegerObjectToCKULongPtr(env, jObject);
+        ckpObject = jIntegerObjectToCKULongPtr(env, jObject);
         *ckpLength = sizeof(CK_ULONG);
-        TRACE1("<converted integer value %X>", *((CK_ULONG *) *ckpObjectPtr));
-        return;
+        TRACE1("<converted integer value %X>", *((CK_ULONG *) ckpObject));
+        return ckpObject;
     }
 
     jBooleanArrayClass = (*env)->FindClass(env, "[Z");
-    if (jBooleanArrayClass == NULL) { return; }
+    if (jBooleanArrayClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) {
-        jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**)ckpObjectPtr, ckpLength);
-        return;
+        jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     jIntArrayClass = (*env)->FindClass(env, "[I");
-    if (jIntArrayClass == NULL) { return; }
+    if (jIntArrayClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) {
-        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength);
-        return;
+        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     jLongArrayClass = (*env)->FindClass(env, "[J");
-    if (jLongArrayClass == NULL) { return; }
+    if (jLongArrayClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) {
-        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength);
-        return;
+        jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     jStringClass = (*env)->FindClass(env, "java/lang/String");
-    if (jStringClass == NULL) { return; }
+    if (jStringClass == NULL) { return NULL; }
     if ((*env)->IsInstanceOf(env, jObject, jStringClass)) {
-        jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength);
-        return;
+        jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*) &ckpObject, ckpLength);
+        return ckpObject;
     }
 
     /* type of jObject unknown, throw PKCS11RuntimeException */
     jObjectClass = (*env)->FindClass(env, "java/lang/Object");
-    if (jObjectClass == NULL) { return; }
+    if (jObjectClass == NULL) { return NULL; }
     jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;");
-    if (jMethod == NULL) { return; }
+    if (jMethod == NULL) { return NULL; }
     jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod);
     assert(jClassObject != 0);
     jClassClass = (*env)->FindClass(env, "java/lang/Class");
-    if (jClassClass == NULL) { return; }
+    if (jClassClass == NULL) { return NULL; }
     jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;");
-    if (jMethod == NULL) { return; }
+    if (jMethod == NULL) { return NULL; }
     jClassNameString = (jstring)
         (*env)->CallObjectMethod(env, jClassObject, jMethod);
     assert(jClassNameString != 0);
     classNameString = (char*)
         (*env)->GetStringUTFChars(env, jClassNameString, NULL);
-    if (classNameString == NULL) { return; }
+    if (classNameString == NULL) { return NULL; }
     exceptionMsgPrefix = "Java object of this class cannot be converted to native PKCS#11 type: ";
     exceptionMsg = (char *)
         malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1));
     if (exceptionMsg == NULL) {
         (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString);
         throwOutOfMemoryError(env, 0);
-        return;
+        return NULL;
     }
     strcpy(exceptionMsg, exceptionMsgPrefix);
     strcat(exceptionMsg, classNameString);
     (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString);
     throwPKCS11RuntimeException(env, exceptionMsg);
     free(exceptionMsg);
-    *ckpObjectPtr = NULL;
     *ckpLength = 0;
 
     TRACE0("FINISHED\n");
+    return NULL;
 }
 
 #ifdef P11_MEMORYDEBUG
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs-11v2-20a3.h	Tue Jun 11 13:04:36 2019 -0400
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,124 +0,0 @@
-/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3
-   document. */
-
-/* $Revision: 1.4 $ */
-
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or
- * referencing this software.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-/* This file is preferably included after inclusion of pkcs11.h */
-
-#ifndef _PKCS_11V2_20A3_H_
-#define _PKCS_11V2_20A3_H_ 1
-
-/* Are the definitions of this file already included in pkcs11t.h ? */
-#ifndef CKK_CAMELLIA
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Key types */
-
-/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-#define CKK_CAMELLIA                   0x00000025
-/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-#define CKK_ARIA                       0x00000026
-
-
-/* Mask-generating functions */
-
-/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-#define CKG_MGF1_SHA224                0x00000005
-
-
-/* Mechanism Identifiers */
-
-/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
-#define CKM_SHA224                     0x00000255
-#define CKM_SHA224_HMAC                0x00000256
-#define CKM_SHA224_HMAC_GENERAL        0x00000257
-
-/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
-#define CKM_SHA224_KEY_DERIVATION      0x00000396
-
-/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
-#define CKM_SHA224_RSA_PKCS            0x00000046
-#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
-
-/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
-#define CKM_AES_CTR                    0x00001086
-
-/* Camellia is new for PKCS #11 v2.20 amendment 3 */
-#define CKM_CAMELLIA_KEY_GEN           0x00000550
-#define CKM_CAMELLIA_ECB               0x00000551
-#define CKM_CAMELLIA_CBC               0x00000552
-#define CKM_CAMELLIA_MAC               0x00000553
-#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
-#define CKM_CAMELLIA_CBC_PAD           0x00000555
-#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
-#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
-#define CKM_CAMELLIA_CTR               0x00000558
-
-/* ARIA is new for PKCS #11 v2.20 amendment 3 */
-#define CKM_ARIA_KEY_GEN               0x00000560
-#define CKM_ARIA_ECB                   0x00000561
-#define CKM_ARIA_CBC                   0x00000562
-#define CKM_ARIA_MAC                   0x00000563
-#define CKM_ARIA_MAC_GENERAL           0x00000564
-#define CKM_ARIA_CBC_PAD               0x00000565
-#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
-#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
-
-
-/* Mechanism parameters */
-
-/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-typedef struct CK_AES_CTR_PARAMS {
-    CK_ULONG ulCounterBits;
-    CK_BYTE cb[16];
-} CK_AES_CTR_PARAMS;
-
-typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
-
-/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-typedef struct CK_CAMELLIA_CTR_PARAMS {
-    CK_ULONG ulCounterBits;
-    CK_BYTE cb[16];
-} CK_CAMELLIA_CTR_PARAMS;
-
-typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
-
-/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE      iv[16];
-    CK_BYTE_PTR  pData;
-    CK_ULONG     length;
-} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
-typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
-    CK_BYTE      iv[16];
-    CK_BYTE_PTR  pData;
-    CK_ULONG     length;
-} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
-#endif
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11.h	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11.h	Tue Jun 11 21:30:28 2019 +0000
@@ -1,19 +1,12 @@
-/* pkcs11.h include file for PKCS #11. */
-/* $Revision: 1.4 $ */
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
 
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
  */
 
 #ifndef _PKCS11_H_
@@ -24,14 +17,14 @@
 #endif
 
 /* Before including this file (pkcs11.h) (or pkcs11t.h by
- * itself), 6 platform-specific macros must be defined.  These
+ * itself), 5 platform-specific macros must be defined.  These
  * macros are described below, and typical definitions for them
  * are also given.  Be advised that these definitions can depend
  * on both the platform and the compiler used (and possibly also
  * on whether a Cryptoki library is linked statically or
  * dynamically).
  *
- * In addition to defining these 6 macros, the packing convention
+ * In addition to defining these 5 macros, the packing convention
  * for Cryptoki structures should be set.  The Cryptoki
  * convention on packing is that structures should be 1-byte
  * aligned.
@@ -81,39 +74,7 @@
  * #define CK_PTR *
  *
  *
- * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
- * an exportable Cryptoki library function definition out of a
- * return type and a function name.  It should be used in the
- * following fashion to define the exposed Cryptoki functions in
- * a Cryptoki library:
- *
- * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
- *   CK_VOID_PTR pReserved
- * )
- * {
- *   ...
- * }
- *
- * If you're using Microsoft Developer Studio 5.0 to define a
- * function in a Win32 Cryptoki .dll, it might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __declspec(dllexport) name
- *
- * If you're using an earlier version of Microsoft Developer
- * Studio to define a function in a Win16 Cryptoki .dll, it
- * might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType __export _far _pascal name
- *
- * In a UNIX environment, it might be defined by:
- *
- * #define CK_DEFINE_FUNCTION(returnType, name) \
- *   returnType name
- *
- *
- * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
  * an importable Cryptoki library function declaration out of a
  * return type and a function name.  It should be used in the
  * following fashion:
@@ -141,7 +102,7 @@
  *   returnType name
  *
  *
- * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
  * which makes a Cryptoki API function pointer declaration or
  * function pointer type declaration out of a return type and a
  * function name.  It should be used in the following fashion:
@@ -178,7 +139,7 @@
  *   returnType (* name)
  *
  *
- * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
  * a function pointer type for an application callback out of
  * a return type for the callback and a name for the callback.
  * It should be used in the following fashion:
@@ -210,7 +171,7 @@
  *   returnType (* name)
  *
  *
- * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ * 5. NULL_PTR: This macro is the value of a NULL pointer.
  *
  * In any ANSI/ISO C environment (and in many others as well),
  * this should best be defined by
@@ -222,7 +183,8 @@
 
 
 /* All the various Cryptoki types and #define'd values are in the
- * file pkcs11t.h. */
+ * file pkcs11t.h.
+ */
 #include "pkcs11t.h"
 
 #define __PASTE(x,y)      x##y
@@ -238,7 +200,8 @@
   extern CK_DECLARE_FUNCTION(CK_RV, name)
 
 /* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
+ * function prototypes.
+ */
 #include "pkcs11f.h"
 
 #undef CK_NEED_ARG_LIST
@@ -257,7 +220,8 @@
   typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
 
 /* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
+ * function prototypes.
+ */
 #include "pkcs11f.h"
 
 #undef CK_NEED_ARG_LIST
@@ -282,7 +246,8 @@
 
 /* Pile all the function pointers into the CK_FUNCTION_LIST. */
 /* pkcs11f.h has all the information about the Cryptoki
- * function prototypes. */
+ * function prototypes.
+ */
 #include "pkcs11f.h"
 
 };
@@ -296,4 +261,5 @@
 }
 #endif
 
-#endif
+#endif /* _PKCS11_H_ */
+
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11f.h	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11f.h	Tue Jun 11 21:30:28 2019 +0000
@@ -1,26 +1,20 @@
-/* pkcs11f.h include file for PKCS #11. */
-/* $Revision: 1.4 $ */
-
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
  */
 
-/* This header file contains pretty much everything about all the */
-/* Cryptoki function prototypes.  Because this information is */
-/* used for more than just declaring function prototypes, the */
-/* order of the functions appearing herein is important, and */
-/* should not be altered. */
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ */
+
+/* This header file contains pretty much everything about all the
+ * Cryptoki function prototypes.  Because this information is
+ * used for more than just declaring function prototypes, the
+ * order of the functions appearing herein is important, and
+ * should not be altered.
+ */
 
 /* General-purpose */
 
@@ -30,13 +24,15 @@
 (
   CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
                             * cast to CK_C_INITIALIZE_ARGS_PTR
-                            * and dereferenced */
+                            * and dereferenced
+                            */
 );
 #endif
 
 
 /* C_Finalize indicates that an application is done with the
- * Cryptoki library. */
+ * Cryptoki library.
+ */
 CK_PKCS11_FUNCTION_INFO(C_Finalize)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -59,7 +55,8 @@
 #ifdef CK_NEED_ARG_LIST
 (
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-                                            * function list */
+                                            * function list
+                                            */
 );
 #endif
 
@@ -71,7 +68,7 @@
 CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
 #ifdef CK_NEED_ARG_LIST
 (
-  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_BBOOL       tokenPresent,  /* only slots with tokens */
   CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
   CK_ULONG_PTR   pulCount       /* receives number of slots */
 );
@@ -79,7 +76,8 @@
 
 
 /* C_GetSlotInfo obtains information about a particular slot in
- * the system. */
+ * the system.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -90,7 +88,8 @@
 
 
 /* C_GetTokenInfo obtains information about a particular token
- * in the system. */
+ * in the system.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -101,7 +100,8 @@
 
 
 /* C_GetMechanismList obtains a list of mechanism types
- * supported by a token. */
+ * supported by a token.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -113,7 +113,8 @@
 
 
 /* C_GetMechanismInfo obtains information about a particular
- * mechanism possibly supported by a token. */
+ * mechanism possibly supported by a token.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -127,7 +128,6 @@
 /* C_InitToken initializes a token. */
 CK_PKCS11_FUNCTION_INFO(C_InitToken)
 #ifdef CK_NEED_ARG_LIST
-/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
 (
   CK_SLOT_ID      slotID,    /* ID of the token's slot */
   CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
@@ -165,7 +165,8 @@
 /* Session management */
 
 /* C_OpenSession opens a session between an application and a
- * token. */
+ * token.
+ */
 CK_PKCS11_FUNCTION_INFO(C_OpenSession)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -179,7 +180,8 @@
 
 
 /* C_CloseSession closes a session between an application and a
- * token. */
+ * token.
+ */
 CK_PKCS11_FUNCTION_INFO(C_CloseSession)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -208,7 +210,8 @@
 
 
 /* C_GetOperationState obtains the state of the cryptographic operation
- * in a session. */
+ * in a session.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -220,7 +223,8 @@
 
 
 /* C_SetOperationState restores the state of the cryptographic
- * operation in a session. */
+ * operation in a session.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -270,7 +274,8 @@
 
 
 /* C_CopyObject copies an object, creating a new object for the
- * copy. */
+ * copy.
+ */
 CK_PKCS11_FUNCTION_INFO(C_CopyObject)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -305,7 +310,8 @@
 
 
 /* C_GetAttributeValue obtains the value of one or more object
- * attributes. */
+ * attributes.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -318,7 +324,8 @@
 
 
 /* C_SetAttributeValue modifies the value of one or more object
- * attributes */
+ * attributes.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -331,7 +338,8 @@
 
 
 /* C_FindObjectsInit initializes a search for token and session
- * objects that match a template. */
+ * objects that match a template.
+ */
 CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -344,7 +352,8 @@
 
 /* C_FindObjects continues a search for token and session
  * objects that match a template, obtaining additional object
- * handles. */
+ * handles.
+ */
 CK_PKCS11_FUNCTION_INFO(C_FindObjects)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -357,7 +366,8 @@
 
 
 /* C_FindObjectsFinal finishes a search for token and session
- * objects. */
+ * objects.
+ */
 CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -394,7 +404,8 @@
 
 
 /* C_EncryptUpdate continues a multiple-part encryption
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -408,7 +419,8 @@
 
 
 /* C_EncryptFinal finishes a multiple-part encryption
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -444,7 +456,8 @@
 
 
 /* C_DecryptUpdate continues a multiple-part decryption
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -458,7 +471,8 @@
 
 
 /* C_DecryptFinal finishes a multiple-part decryption
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -496,7 +510,8 @@
 
 
 /* C_DigestUpdate continues a multiple-part message-digesting
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -509,7 +524,8 @@
 
 /* C_DigestKey continues a multi-part message-digesting
  * operation, by digesting the value of a secret key as part of
- * the data already digested. */
+ * the data already digested.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DigestKey)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -520,7 +536,8 @@
 
 
 /* C_DigestFinal finishes a multiple-part message-digesting
- * operation. */
+ * operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -537,7 +554,8 @@
 /* C_SignInit initializes a signature (private key encryption)
  * operation, where the signature is (will be) an appendix to
  * the data, and plaintext cannot be recovered from the
- *signature. */
+ * signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignInit)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -550,7 +568,8 @@
 
 /* C_Sign signs (encrypts with private key) data in a single
  * part, where the signature is (will be) an appendix to the
- * data, and plaintext cannot be recovered from the signature. */
+ * data, and plaintext cannot be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_Sign)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -565,7 +584,8 @@
 
 /* C_SignUpdate continues a multiple-part signature operation,
  * where the signature is (will be) an appendix to the data,
- * and plaintext cannot be recovered from the signature. */
+ * and plaintext cannot be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -577,7 +597,8 @@
 
 
 /* C_SignFinal finishes a multiple-part signature operation,
- * returning the signature. */
+ * returning the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -589,7 +610,8 @@
 
 
 /* C_SignRecoverInit initializes a signature operation, where
- * the data can be recovered from the signature. */
+ * the data can be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -601,7 +623,8 @@
 
 
 /* C_SignRecover signs data in a single operation, where the
- * data can be recovered from the signature. */
+ * data can be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignRecover)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -619,7 +642,8 @@
 
 /* C_VerifyInit initializes a verification operation, where the
  * signature is an appendix to the data, and plaintext cannot
- *  cannot be recovered from the signature (e.g. DSA). */
+ * cannot be recovered from the signature (e.g. DSA).
+ */
 CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -632,7 +656,8 @@
 
 /* C_Verify verifies a signature in a single-part operation,
  * where the signature is an appendix to the data, and plaintext
- * cannot be recovered from the signature. */
+ * cannot be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_Verify)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -647,7 +672,8 @@
 
 /* C_VerifyUpdate continues a multiple-part verification
  * operation, where the signature is an appendix to the data,
- * and plaintext cannot be recovered from the signature. */
+ * and plaintext cannot be recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -659,7 +685,8 @@
 
 
 /* C_VerifyFinal finishes a multiple-part verification
- * operation, checking the signature. */
+ * operation, checking the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -671,7 +698,8 @@
 
 
 /* C_VerifyRecoverInit initializes a signature verification
- * operation, where the data is recovered from the signature. */
+ * operation, where the data is recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -683,7 +711,8 @@
 
 
 /* C_VerifyRecover verifies a signature in a single-part
- * operation, where the data is recovered from the signature. */
+ * operation, where the data is recovered from the signature.
+ */
 CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -700,7 +729,8 @@
 /* Dual-function cryptographic operations */
 
 /* C_DigestEncryptUpdate continues a multiple-part digesting
- * and encryption operation. */
+ * and encryption operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -714,7 +744,8 @@
 
 
 /* C_DecryptDigestUpdate continues a multiple-part decryption and
- * digesting operation. */
+ * digesting operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -728,7 +759,8 @@
 
 
 /* C_SignEncryptUpdate continues a multiple-part signing and
- * encryption operation. */
+ * encryption operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -742,7 +774,8 @@
 
 
 /* C_DecryptVerifyUpdate continues a multiple-part decryption and
- * verify operation. */
+ * verify operation.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -759,7 +792,8 @@
 /* Key management */
 
 /* C_GenerateKey generates a secret key, creating a new key
- * object. */
+ * object.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -773,30 +807,19 @@
 
 
 /* C_GenerateKeyPair generates a public-key/private-key pair,
- * creating new key objects. */
+ * creating new key objects.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
 #ifdef CK_NEED_ARG_LIST
 (
-  CK_SESSION_HANDLE    hSession,                    /* session
-                                                     * handle */
-  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-                                                     * mech. */
-  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-                                                     * for pub.
-                                                     * key */
-  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-                                                     * attrs. */
-  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-                                                     * for priv.
-                                                     * key */
-  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-                                                     * attrs. */
-  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-                                                     * key
-                                                     * handle */
-  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-                                                     * priv. key
-                                                     * handle */
+  CK_SESSION_HANDLE    hSession,                    /* session handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template for pub. key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub. attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template for priv. key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.  attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key handle */
 );
 #endif
 
@@ -816,7 +839,8 @@
 
 
 /* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
- * key object. */
+ * key object.
+ */
 CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -833,7 +857,8 @@
 
 
 /* C_DeriveKey derives a key from a base key, creating a new key
- * object. */
+ * object.
+ */
 CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -851,7 +876,8 @@
 /* Random number generation */
 
 /* C_SeedRandom mixes additional seed material into the token's
- * random number generator. */
+ * random number generator.
+ */
 CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -878,7 +904,8 @@
 
 /* C_GetFunctionStatus is a legacy function; it obtains an
  * updated status of a function running in parallel with an
- * application. */
+ * application.
+ */
 CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -888,7 +915,8 @@
 
 
 /* C_CancelFunction is a legacy function; it cancels a function
- * running in parallel. */
+ * running in parallel.
+ */
 CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -897,11 +925,9 @@
 #endif
 
 
-
-/* Functions added in for Cryptoki Version 2.01 or later */
-
 /* C_WaitForSlotEvent waits for a slot event (token insertion,
- * removal, etc.) to occur. */
+ * removal, etc.) to occur.
+ */
 CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
 #ifdef CK_NEED_ARG_LIST
 (
@@ -910,3 +936,4 @@
   CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
 );
 #endif
+
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h	Tue Jun 11 13:04:36 2019 -0400
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h	Tue Jun 11 21:30:28 2019 +0000
@@ -1,36 +1,33 @@
-/* pkcs11t.h include file for PKCS #11. */
-/* $Revision: 1.6 $ */
+/* Copyright (c) OASIS Open 2016. All Rights Reserved./
+ * /Distributed under the terms of the OASIS IPR Policy,
+ * [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY
+ * IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.
+ */
 
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
+/* Latest version of the specification:
+ * http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
  */
 
 /* See top of pkcs11.h for information about the macros that
  * must be defined and the structure-packing conventions that
- * must be set before including this file. */
+ * must be set before including this file.
+ */
 
 #ifndef _PKCS11T_H_
 #define _PKCS11T_H_ 1
 
-#define CK_TRUE 1
-#define CK_FALSE 0
+#define CRYPTOKI_VERSION_MAJOR          2
+#define CRYPTOKI_VERSION_MINOR          40
+#define CRYPTOKI_VERSION_AMENDMENT      0
+
+#define CK_TRUE         1
+#define CK_FALSE        0
 
 #ifndef CK_DISABLE_TRUE_FALSE
 #ifndef FALSE
 #define FALSE CK_FALSE
 #endif
-
 #ifndef TRUE
 #define TRUE CK_TRUE
 #endif
@@ -52,7 +49,6 @@
 typedef unsigned long int CK_ULONG;
 
 /* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
 typedef long int          CK_LONG;
 
 /* at least 32 bits; each bit is a Boolean flag */
@@ -60,8 +56,8 @@
 
 
 /* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
+#define CK_UNAVAILABLE_INFORMATION      (~0UL)
+#define CK_EFFECTIVELY_INFINITE         0UL
 
 
 typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
@@ -74,9 +70,10 @@
 typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
 
 
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
+/* The following value is always invalid if used as a session
+ * handle or object handle
+ */
+#define CK_INVALID_HANDLE       0UL
 
 
 typedef struct CK_VERSION {
@@ -88,13 +85,9 @@
 
 
 typedef struct CK_INFO {
-  /* manufacturerID and libraryDecription have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
   CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
   CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
   CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
   CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
   CK_VERSION    libraryVersion;          /* version of library */
 } CK_INFO;
@@ -103,12 +96,11 @@
 
 
 /* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
+ * Cryptoki provides to an application
+ */
 typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
+#define CKN_SURRENDER           0UL
+#define CKN_OTP_CHANGED         1UL
 
 typedef CK_ULONG          CK_SLOT_ID;
 
@@ -117,13 +109,10 @@
 
 /* CK_SLOT_INFO provides information about a slot */
 typedef struct CK_SLOT_INFO {
-  /* slotDescription and manufacturerID have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
   CK_UTF8CHAR   slotDescription[64];  /* blank padded */
   CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
   CK_FLAGS      flags;
 
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
   CK_VERSION    hardwareVersion;  /* version of hardware */
   CK_VERSION    firmwareVersion;  /* version of firmware */
 } CK_SLOT_INFO;
@@ -131,26 +120,21 @@
 /* flags: bit flags that provide capabilities of the slot
  *      Bit Flag              Mask        Meaning
  */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+#define CKF_TOKEN_PRESENT     0x00000001UL  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002UL  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004UL  /* hardware slot */
 
 typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
 
 
 /* CK_TOKEN_INFO provides information about a token */
 typedef struct CK_TOKEN_INFO {
-  /* label, manufacturerID, and model have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
   CK_UTF8CHAR   label[32];           /* blank padded */
   CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
   CK_UTF8CHAR   model[16];           /* blank padded */
   CK_CHAR       serialNumber[16];    /* blank padded */
   CK_FLAGS      flags;               /* see below */
 
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
   CK_ULONG      ulMaxSessionCount;     /* max open sessions */
   CK_ULONG      ulSessionCount;        /* sess. now open */
   CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
@@ -161,9 +145,6 @@
   CK_ULONG      ulFreePublicMemory;    /* in bytes */
   CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
   CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
   CK_VERSION    hardwareVersion;       /* version of hardware */
   CK_VERSION    firmwareVersion;       /* version of firmware */
   CK_CHAR       utcTime[16];           /* time */
@@ -172,146 +153,149 @@
 /* The flags parameter is defined as follows:
  *      Bit Flag                    Mask        Meaning
  */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
+#define CKF_RNG                     0x00000001UL  /* has random # generator */
+#define CKF_WRITE_PROTECTED         0x00000002UL  /* token is write-protected */
+#define CKF_LOGIN_REQUIRED          0x00000004UL  /* user must login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008UL  /* normal user's PIN is set */
 
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+/* CKF_RESTORE_KEY_NOT_NEEDED.  If it is set,
  * that means that *every* time the state of cryptographic
  * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+ * needed to continue those operations are stored in the state
+ */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020UL
 
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+/* CKF_CLOCK_ON_TOKEN.  If it is set, that means
  * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
+ * clock is returned in the token info structure
+ */
+#define CKF_CLOCK_ON_TOKEN          0x00000040UL
 
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+/* CKF_PROTECTED_AUTHENTICATION_PATH.  If it is
  * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+ * without sending a PIN through the Cryptoki library itself
+ */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
 
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+/* CKF_DUAL_CRYPTO_OPERATIONS.  If it is true,
  * that means that a single session with the token can perform
  * dual simultaneous cryptographic operations (digest and
  * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+ * and sign)
+ */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200UL
 
-/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+/* CKF_TOKEN_INITIALIZED. If it is true, the
  * token has been initialized using C_InitializeToken or an
  * equivalent mechanism outside the scope of PKCS #11.
  * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized. */
-#define CKF_TOKEN_INITIALIZED       0x00000400
+ * the token to be reinitialized.
+ */
+#define CKF_TOKEN_INITIALIZED       0x00000400UL
 
-/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+/* CKF_SECONDARY_AUTHENTICATION. If it is
  * true, the token supports secondary authentication for
- * private key objects. This flag is deprecated in v2.11 and
-   onwards. */
-#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+ * private key objects.
+ */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800UL
 
-/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+/* CKF_USER_PIN_COUNT_LOW. If it is true, an
  * incorrect user login PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_USER_PIN_COUNT_LOW       0x00010000
+ * since the last successful authentication.
+ */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000UL
 
-/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect user PIN will it to become locked. */
-#define CKF_USER_PIN_FINAL_TRY       0x00020000
+/* CKF_USER_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect user PIN will it to become locked.
+ */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000UL
 
-/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+/* CKF_USER_PIN_LOCKED. If it is true, the
  * user PIN has been locked. User login to the token is not
- * possible. */
-#define CKF_USER_PIN_LOCKED          0x00040000
+ * possible.
+ */
+#define CKF_USER_PIN_LOCKED          0x00040000UL
 
-/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
  * the user PIN value is the default value set by token
  * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+ * expired by the card.
+ */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000UL
 
-/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+/* CKF_SO_PIN_COUNT_LOW. If it is true, an
  * incorrect SO login PIN has been entered at least once since
- * the last successful authentication. */
-#define CKF_SO_PIN_COUNT_LOW         0x00100000
+ * the last successful authentication.
+ */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000UL
 
-/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
- * supplying an incorrect SO PIN will it to become locked. */
-#define CKF_SO_PIN_FINAL_TRY         0x00200000
+/* CKF_SO_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect SO PIN will it to become locked.
+ */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000UL
 
-/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+/* CKF_SO_PIN_LOCKED. If it is true, the SO
  * PIN has been locked. SO login to the token is not possible.
  */
-#define CKF_SO_PIN_LOCKED            0x00400000
+#define CKF_SO_PIN_LOCKED            0x00400000UL
 
-/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
  * the SO PIN value is the default value set by token
  * initialization or manufacturing, or the PIN has been
- * expired by the card. */
-#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+ * expired by the card.
+ */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000UL
+
+#define CKF_ERROR_STATE              0x01000000UL
 
 typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
 
 
 /* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session */
+ * identifies a session
+ */
 typedef CK_ULONG          CK_SESSION_HANDLE;
 
 typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
 
 
 /* CK_USER_TYPE enumerates the types of Cryptoki users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
 typedef CK_ULONG          CK_USER_TYPE;
 /* Security Officer */
-#define CKU_SO    0
+#define CKU_SO                  0UL
 /* Normal user */
-#define CKU_USER  1
-/* Context specific (added in v2.20) */
-#define CKU_CONTEXT_SPECIFIC   2
+#define CKU_USER                1UL
+/* Context specific */
+#define CKU_CONTEXT_SPECIFIC    2UL
 
 /* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
 typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
+#define CKS_RO_PUBLIC_SESSION   0UL
+#define CKS_RO_USER_FUNCTIONS   1UL
+#define CKS_RW_PUBLIC_SESSION   2UL
+#define CKS_RW_USER_FUNCTIONS   3UL
+#define CKS_RW_SO_FUNCTIONS     4UL
 
 /* CK_SESSION_INFO provides information about a session */
 typedef struct CK_SESSION_INFO {
   CK_SLOT_ID    slotID;
   CK_STATE      state;
   CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
   CK_ULONG      ulDeviceError;  /* device-dependent error code */
 } CK_SESSION_INFO;
 
 /* The flags are defined in the following table:
  *      Bit Flag                Mask        Meaning
  */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+#define CKF_RW_SESSION          0x00000002UL /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004UL /* no parallel    */
 
 typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
 
 
 /* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
+ * object
+ */
 typedef CK_ULONG          CK_OBJECT_HANDLE;
 
 typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
@@ -319,251 +303,273 @@
 
 /* CK_OBJECT_CLASS is a value that identifies the classes (or
  * types) of objects that Cryptoki recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
+ * as follows:
+ */
 typedef CK_ULONG          CK_OBJECT_CLASS;
 
 /* The following classes of objects are defined: */
-/* CKO_HW_FEATURE is new for v2.10 */
-/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-/* CKO_MECHANISM is new for v2.20 */
-#define CKO_DATA              0x00000000
-#define CKO_CERTIFICATE       0x00000001
-#define CKO_PUBLIC_KEY        0x00000002
-#define CKO_PRIVATE_KEY       0x00000003
-#define CKO_SECRET_KEY        0x00000004
-#define CKO_HW_FEATURE        0x00000005
-#define CKO_DOMAIN_PARAMETERS 0x00000006
-#define CKO_MECHANISM         0x00000007
-#define CKO_VENDOR_DEFINED    0x80000000
+#define CKO_DATA              0x00000000UL
+#define CKO_CERTIFICATE       0x00000001UL
+#define CKO_PUBLIC_KEY        0x00000002UL
+#define CKO_PRIVATE_KEY       0x00000003UL
+#define CKO_SECRET_KEY        0x00000004UL
+#define CKO_HW_FEATURE        0x00000005UL
+#define CKO_DOMAIN_PARAMETERS 0x00000006UL
+#define CKO_MECHANISM         0x00000007UL
+#define CKO_OTP_KEY           0x00000008UL
+
+#define CKO_VENDOR_DEFINED    0x80000000UL
 
 typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
 
-/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
- * value that identifies the hardware feature type of an object
- * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
+ * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
+ */
 typedef CK_ULONG          CK_HW_FEATURE_TYPE;
 
 /* The following hardware feature types are defined */
-/* CKH_USER_INTERFACE is new for v2.20 */
-#define CKH_MONOTONIC_COUNTER  0x00000001
-#define CKH_CLOCK           0x00000002
-#define CKH_USER_INTERFACE  0x00000003
-#define CKH_VENDOR_DEFINED  0x80000000
+#define CKH_MONOTONIC_COUNTER  0x00000001UL
+#define CKH_CLOCK              0x00000002UL
+#define CKH_USER_INTERFACE     0x00000003UL
+#define CKH_VENDOR_DEFINED     0x80000000UL
 
 /* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
 typedef CK_ULONG          CK_KEY_TYPE;
 
 /* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
+#define CKK_RSA                 0x00000000UL
+#define CKK_DSA                 0x00000001UL
+#define CKK_DH                  0x00000002UL
+#define CKK_ECDSA               0x00000003UL /* Deprecated */
+#define CKK_EC                  0x00000003UL
+#define CKK_X9_42_DH            0x00000004UL
+#define CKK_KEA                 0x00000005UL
+#define CKK_GENERIC_SECRET      0x00000010UL
+#define CKK_RC2                 0x00000011UL
+#define CKK_RC4                 0x00000012UL
+#define CKK_DES                 0x00000013UL
+#define CKK_DES2                0x00000014UL
+#define CKK_DES3                0x00000015UL
+#define CKK_CAST                0x00000016UL
+#define CKK_CAST3               0x00000017UL
+#define CKK_CAST5               0x00000018UL /* Deprecated */
+#define CKK_CAST128             0x00000018UL
+#define CKK_RC5                 0x00000019UL
+#define CKK_IDEA                0x0000001AUL
+#define CKK_SKIPJACK            0x0000001BUL
+#define CKK_BATON               0x0000001CUL
+#define CKK_JUNIPER             0x0000001DUL
+#define CKK_CDMF                0x0000001EUL
+#define CKK_AES                 0x0000001FUL
+#define CKK_BLOWFISH            0x00000020UL
+#define CKK_TWOFISH             0x00000021UL
+#define CKK_SECURID             0x00000022UL
+#define CKK_HOTP                0x00000023UL
+#define CKK_ACTI                0x00000024UL
+#define CKK_CAMELLIA            0x00000025UL
+#define CKK_ARIA                0x00000026UL
 
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-#define CKK_ECDSA           0x00000003
-#define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
-#define CKK_KEA             0x00000005
+#define CKK_MD5_HMAC            0x00000027UL
+#define CKK_SHA_1_HMAC          0x00000028UL
+#define CKK_RIPEMD128_HMAC      0x00000029UL
+#define CKK_RIPEMD160_HMAC      0x0000002AUL
+#define CKK_SHA256_HMAC         0x0000002BUL
+#define CKK_SHA384_HMAC         0x0000002CUL
+#define CKK_SHA512_HMAC         0x0000002DUL
+#define CKK_SHA224_HMAC         0x0000002EUL
 
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
+#define CKK_SEED                0x0000002FUL
+#define CKK_GOSTR3410           0x00000030UL
+#define CKK_GOSTR3411           0x00000031UL
+#define CKK_GOST28147           0x00000032UL
 
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-#define CKK_AES             0x0000001F
 
-/* BlowFish and TwoFish are new for v2.20 */
-#define CKK_BLOWFISH        0x00000020
-#define CKK_TWOFISH         0x00000021
 
-#define CKK_VENDOR_DEFINED  0x80000000
+#define CKK_VENDOR_DEFINED      0x80000000UL
 
 
 /* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
+ * type
+ */
 typedef CK_ULONG          CK_CERTIFICATE_TYPE;
 
+#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED     0UL
+#define CK_CERTIFICATE_CATEGORY_TOKEN_USER      1UL
+#define CK_CERTIFICATE_CATEGORY_AUTHORITY       2UL
+#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY    3UL
+
+#define CK_SECURITY_DOMAIN_UNSPECIFIED     0UL
+#define CK_SECURITY_DOMAIN_MANUFACTURER    1UL
+#define CK_SECURITY_DOMAIN_OPERATOR        2UL
+#define CK_SECURITY_DOMAIN_THIRD_PARTY     3UL
+
+
 /* The following certificate types are defined: */
-/* CKC_X_509_ATTR_CERT is new for v2.10 */
-/* CKC_WTLS is new for v2.20 */
-#define CKC_X_509           0x00000000
-#define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_WTLS            0x00000002
-#define CKC_VENDOR_DEFINED  0x80000000
+#define CKC_X_509               0x00000000UL
+#define CKC_X_509_ATTR_CERT     0x00000001UL
+#define CKC_WTLS                0x00000002UL
+#define CKC_VENDOR_DEFINED      0x80000000UL
 
 
 /* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
+ * type
+ */
 typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 
 /* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-   consists of an array of values. */
-#define CKF_ARRAY_ATTRIBUTE    0x40000000
+ * consists of an array of values.
+ */
+#define CKF_ARRAY_ATTRIBUTE     0x40000000UL
+
+/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL           0UL
+#define CK_OTP_FORMAT_HEXADECIMAL       1UL
+#define CK_OTP_FORMAT_ALPHANUMERIC      2UL
+#define CK_OTP_FORMAT_BINARY            3UL
+
+/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
+ * attributes
+ */
+#define CK_OTP_PARAM_IGNORED            0UL
+#define CK_OTP_PARAM_OPTIONAL           1UL
+#define CK_OTP_PARAM_MANDATORY          2UL
 
 /* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
+#define CKA_CLASS              0x00000000UL
+#define CKA_TOKEN              0x00000001UL
+#define CKA_PRIVATE            0x00000002UL
+#define CKA_LABEL              0x00000003UL
+#define CKA_APPLICATION        0x00000010UL
+#define CKA_VALUE              0x00000011UL
+#define CKA_OBJECT_ID          0x00000012UL
+#define CKA_CERTIFICATE_TYPE   0x00000080UL
+#define CKA_ISSUER             0x00000081UL
+#define CKA_SERIAL_NUMBER      0x00000082UL
+#define CKA_AC_ISSUER          0x00000083UL
+#define CKA_OWNER              0x00000084UL
+#define CKA_ATTR_TYPES         0x00000085UL
+#define CKA_TRUSTED            0x00000086UL
+#define CKA_CERTIFICATE_CATEGORY        0x00000087UL
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088UL
+#define CKA_URL                         0x00000089UL
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
+#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL
+#define CKA_CHECK_VALUE                 0x00000090UL
 
-/* CKA_OBJECT_ID is new for v2.10 */
-#define CKA_OBJECT_ID          0x00000012
+#define CKA_KEY_TYPE           0x00000100UL
+#define CKA_SUBJECT            0x00000101UL
+#define CKA_ID                 0x00000102UL
+#define CKA_SENSITIVE          0x00000103UL
+#define CKA_ENCRYPT            0x00000104UL
+#define CKA_DECRYPT            0x00000105UL
+#define CKA_WRAP               0x00000106UL
+#define CKA_UNWRAP             0x00000107UL
+#define CKA_SIGN               0x00000108UL
+#define CKA_SIGN_RECOVER       0x00000109UL
+#define CKA_VERIFY             0x0000010AUL
+#define CKA_VERIFY_RECOVER     0x0000010BUL
+#define CKA_DERIVE             0x0000010CUL
+#define CKA_START_DATE         0x00000110UL
+#define CKA_END_DATE           0x00000111UL
+#define CKA_MODULUS            0x00000120UL
+#define CKA_MODULUS_BITS       0x00000121UL
+#define CKA_PUBLIC_EXPONENT    0x00000122UL
+#define CKA_PRIVATE_EXPONENT   0x00000123UL
+#define CKA_PRIME_1            0x00000124UL
+#define CKA_PRIME_2            0x00000125UL
+#define CKA_EXPONENT_1         0x00000126UL
+#define CKA_EXPONENT_2         0x00000127UL
+#define CKA_COEFFICIENT        0x00000128UL
+#define CKA_PUBLIC_KEY_INFO    0x00000129UL
+#define CKA_PRIME              0x00000130UL
+#define CKA_SUBPRIME           0x00000131UL
+#define CKA_BASE               0x00000132UL
 
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
+#define CKA_PRIME_BITS         0x00000133UL
+#define CKA_SUBPRIME_BITS      0x00000134UL
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
 
-/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
- * for v2.10 */
-#define CKA_AC_ISSUER          0x00000083
-#define CKA_OWNER              0x00000084
-#define CKA_ATTR_TYPES         0x00000085
+#define CKA_VALUE_BITS         0x00000160UL
+#define CKA_VALUE_LEN          0x00000161UL
+#define CKA_EXTRACTABLE        0x00000162UL
+#define CKA_LOCAL              0x00000163UL
+#define CKA_NEVER_EXTRACTABLE  0x00000164UL
+#define CKA_ALWAYS_SENSITIVE   0x00000165UL
+#define CKA_KEY_GEN_MECHANISM  0x00000166UL
 
-/* CKA_TRUSTED is new for v2.11 */
-#define CKA_TRUSTED            0x00000086
+#define CKA_MODIFIABLE         0x00000170UL
+#define CKA_COPYABLE           0x00000171UL
 
-/* CKA_CERTIFICATE_CATEGORY ...
- * CKA_CHECK_VALUE are new for v2.20 */
-#define CKA_CERTIFICATE_CATEGORY        0x00000087
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-#define CKA_URL                         0x00000089
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-#define CKA_CHECK_VALUE                 0x00000090
+#define CKA_DESTROYABLE        0x00000172UL
 
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
+#define CKA_ECDSA_PARAMS       0x00000180UL /* Deprecated */
+#define CKA_EC_PARAMS          0x00000180UL
 
-/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-#define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-/* (To retain backwards-compatibility) */
+#define CKA_EC_POINT           0x00000181UL
 
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
+#define CKA_SECONDARY_AUTH     0x00000200UL /* Deprecated */
+#define CKA_AUTH_PIN_FLAGS     0x00000201UL /* Deprecated */
 
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
- * and CKA_EC_POINT are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202UL
 
-/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-#define CKA_KEY_GEN_MECHANISM  0x00000166
+#define CKA_WRAP_WITH_TRUSTED    0x00000210UL
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
+#define CKA_DERIVE_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
 
-#define CKA_MODIFIABLE         0x00000170
+#define CKA_OTP_FORMAT                0x00000220UL
+#define CKA_OTP_LENGTH                0x00000221UL
+#define CKA_OTP_TIME_INTERVAL         0x00000222UL
+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223UL
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
+#define CKA_OTP_TIME_REQUIREMENT      0x00000225UL
+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226UL
+#define CKA_OTP_PIN_REQUIREMENT       0x00000227UL
+#define CKA_OTP_COUNTER               0x0000022EUL
+#define CKA_OTP_TIME                  0x0000022FUL
+#define CKA_OTP_USER_IDENTIFIER       0x0000022AUL
+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022BUL
+#define CKA_OTP_SERVICE_LOGO          0x0000022CUL
+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022DUL
 
-/* CKA_ECDSA_PARAMS is deprecated in v2.11,
- * CKA_EC_PARAMS is preferred. */
-#define CKA_ECDSA_PARAMS       0x00000180
-#define CKA_EC_PARAMS          0x00000180
+#define CKA_GOSTR3410_PARAMS            0x00000250UL
+#define CKA_GOSTR3411_PARAMS            0x00000251UL
+#define CKA_GOST28147_PARAMS            0x00000252UL
 
-#define CKA_EC_POINT           0x00000181
+#define CKA_HW_FEATURE_TYPE             0x00000300UL
+#define CKA_RESET_ON_INIT               0x00000301UL
+#define CKA_HAS_RESET                   0x00000302UL
 
-/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
- * are new for v2.10. Deprecated in v2.11 and onwards. */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
+#define CKA_PIXEL_X                     0x00000400UL
+#define CKA_PIXEL_Y                     0x00000401UL
+#define CKA_RESOLUTION                  0x00000402UL
+#define CKA_CHAR_ROWS                   0x00000403UL
+#define CKA_CHAR_COLUMNS                0x00000404UL
+#define CKA_COLOR                       0x00000405UL
+#define CKA_BITS_PER_PIXEL              0x00000406UL
+#define CKA_CHAR_SETS                   0x00000480UL
+#define CKA_ENCODING_METHODS            0x00000481UL
+#define CKA_MIME_TYPES                  0x00000482UL
+#define CKA_MECHANISM_TYPE              0x00000500UL
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501UL
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502UL
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503UL
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
 
-/* CKA_ALWAYS_AUTHENTICATE ...
- * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-
-/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
- * are new for v2.10 */
-#define CKA_HW_FEATURE_TYPE    0x00000300
-#define CKA_RESET_ON_INIT      0x00000301
-#define CKA_HAS_RESET          0x00000302
-
-/* The following attributes are new for v2.20 */
-#define CKA_PIXEL_X                     0x00000400
-#define CKA_PIXEL_Y                     0x00000401
-#define CKA_RESOLUTION                  0x00000402
-#define CKA_CHAR_ROWS                   0x00000403
-#define CKA_CHAR_COLUMNS                0x00000404
-#define CKA_COLOR                       0x00000405
-#define CKA_BITS_PER_PIXEL              0x00000406
-#define CKA_CHAR_SETS                   0x00000480
-#define CKA_ENCODING_METHODS            0x00000481
-#define CKA_MIME_TYPES                  0x00000482
-#define CKA_MECHANISM_TYPE              0x00000500
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-
-#define CKA_VENDOR_DEFINED     0x80000000
-#define CKA_NETSCAPE_DB        0xD5A0DB00
-
+#define CKA_VENDOR_DEFINED              0x80000000UL
 
 /* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
+ * and value of an attribute
+ */
 typedef struct CK_ATTRIBUTE {
   CK_ATTRIBUTE_TYPE type;
   CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
   CK_ULONG          ulValueLen;  /* in bytes */
 } CK_ATTRIBUTE;
 
 typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
 
-
 /* CK_DATE is a structure that defines a date */
 typedef struct CK_DATE{
   CK_CHAR       year[4];   /* the year ("1900" - "9999") */
@@ -573,341 +579,411 @@
 
 
 /* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
+ * type
+ */
 typedef CK_ULONG          CK_MECHANISM_TYPE;
 
 /* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000UL
+#define CKM_RSA_PKCS                   0x00000001UL
+#define CKM_RSA_9796                   0x00000002UL
+#define CKM_RSA_X_509                  0x00000003UL
 
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
+#define CKM_MD2_RSA_PKCS               0x00000004UL
+#define CKM_MD5_RSA_PKCS               0x00000005UL
+#define CKM_SHA1_RSA_PKCS              0x00000006UL
 
-/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
- * CKM_RSA_PKCS_OAEP are new for v2.10 */
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-#define CKM_RSA_PKCS_OAEP              0x00000009
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007UL
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008UL
+#define CKM_RSA_PKCS_OAEP              0x00000009UL
 
-/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
- * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-#define CKM_RSA_X9_31                  0x0000000B
-#define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000AUL
+#define CKM_RSA_X9_31                  0x0000000BUL
+#define CKM_SHA1_RSA_X9_31             0x0000000CUL
+#define CKM_RSA_PKCS_PSS               0x0000000DUL
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000EUL
 
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010UL
+#define CKM_DSA                        0x00000011UL
+#define CKM_DSA_SHA1                   0x00000012UL
+#define CKM_DSA_SHA224                 0x00000013UL
+#define CKM_DSA_SHA256                 0x00000014UL
+#define CKM_DSA_SHA384                 0x00000015UL
+#define CKM_DSA_SHA512                 0x00000016UL
 
-/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
- * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
- * v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-#define CKM_X9_42_DH_DERIVE            0x00000031
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-#define CKM_X9_42_MQV_DERIVE           0x00000033
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
+#define CKM_DH_PKCS_DERIVE             0x00000021UL
 
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_RSA_PKCS            0x00000040
-#define CKM_SHA384_RSA_PKCS            0x00000041
-#define CKM_SHA512_RSA_PKCS            0x00000042
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030UL
+#define CKM_X9_42_DH_DERIVE            0x00000031UL
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032UL
+#define CKM_X9_42_MQV_DERIVE           0x00000033UL
 
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
+#define CKM_SHA256_RSA_PKCS            0x00000040UL
+#define CKM_SHA384_RSA_PKCS            0x00000041UL
+#define CKM_SHA512_RSA_PKCS            0x00000042UL
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043UL
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044UL
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045UL
 
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
+#define CKM_SHA224_RSA_PKCS            0x00000046UL
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047UL
 
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
+#define CKM_SHA512_224                 0x00000048UL
+#define CKM_SHA512_224_HMAC            0x00000049UL
+#define CKM_SHA512_224_HMAC_GENERAL    0x0000004AUL
+#define CKM_SHA512_224_KEY_DERIVATION  0x0000004BUL
+#define CKM_SHA512_256                 0x0000004CUL
+#define CKM_SHA512_256_HMAC            0x0000004DUL
+#define CKM_SHA512_256_HMAC_GENERAL    0x0000004EUL
+#define CKM_SHA512_256_KEY_DERIVATION  0x0000004FUL
 
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
+#define CKM_SHA512_T                   0x00000050UL
+#define CKM_SHA512_T_HMAC              0x00000051UL
+#define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
+#define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
 
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
+#define CKM_RC2_KEY_GEN                0x00000100UL
+#define CKM_RC2_ECB                    0x00000101UL
+#define CKM_RC2_CBC                    0x00000102UL
+#define CKM_RC2_MAC                    0x00000103UL
 
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144