Webrev is at http://cr.illumos.org/view/madbjvqy/ (it worked this time! \o/) The synopsis is somewhat misleading.. The actual bug is that DH key generation is plain broken (just revealed by the java pkcs11 provider, anything else using pkcs11 to generate DH keys will be broken as well).