Table 1 lists the standard PKCS #11 functions that ICSF supports. Any function not listed is not supported and returns the CKR_FUNCTION_NOT_SUPPORTED return code.
Function | Usage notes |
---|---|
General purpose functions: | |
C_Initialize() |
|
C_Finalize() | dlclose() cannot be used as an implicit C_Finalize(). If an application uses dlclose() without calling C_Finalize(), and reinitializes PKCS #11, a subsequent call to C_Initialize() will result in error CKR_FUNCTION_FAILED being returned. |
C_GetInfo() | |
C_GetFunctionList() | |
Slot and token management functions: | |
C_GetSlotList() |
|
C_GetSlotInfo() | |
C_GetTokenInfo() | |
C_WaitForSlotEvent() |
|
C_GetMechanismList() | The list of functions returned reflects the
capabilities of the current cryptographic hardware configuration. Note: The
loss or addition of hardware on the fly is not detected or reflected.
(For example, on a z9-109, if the only CEX2C present is deactivated,
this function still returns the mechanisms that require an active
CEX2C to function.)
|
C_GetMechanismInfo() | The output of this function reflects the capabilities of the current cryptographic hardware configuration. |
C_InitToken() | Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. The pPin and ulPinLen arguments are ignored. |
C_InitPIN() | Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. This function performs no operation and always returns CKR_OK. |
C_SetPIN() | Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. This function performs no operation and always returns CKR_OK. |
Session management functions: | |
C_OpenSession() | The Notify and pApplication arguments are ignored. |
C_CloseSession() | |
C_CloseAllSessions() | |
C_GetSessionInfo() | The state field returned is meaningless. It is always set to CK_UNAVAILABLE_INFORMATION. |
C_GetOperationState() | Returns CKR_STATE_UNSAVEABLE if a find is active or more than one cryptographic operation is active. |
C_SetOperationState() | |
C_Login() | Tokens are protected by the security manager through profiles in the CRYPTOZ class. Applications are always logged in to the security manager. PINs are not used. This function has no effect on the session state and always returns CKR_OK. |
C_Logout() | Tokens are protected by the security manager through profiles in the CRYPTOZ class. Applications are always logged in to the security manager. PINs are not used. This function has no effect on the session state and always returns CKR_OK. |
Object management functions: | |
C_CreateObject() | |
C_CopyObject() | |
C_DestroyObject() | |
C_GetObjectSize() | |
C_GetAttributeValue() | |
C_SetAttributeValue() | |
C_FindObjectsInit() | |
C_FindObjects() | Sensitive attributes cannot be used as search criteria when the object is marked sensitive or not exportable. Doing so results in no match found. |
C_FindObjectsFinal() | |
Encryption functions: | |
C_EncryptInit() | The following mechanisms are supported:
|
C_Encrypt() | |
C_EncryptUpdate() | Multiple-part encryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms |
C_EncryptFinal() | Multiple-part encryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
Decryption functions: | |
C_DecryptInit() | The following mechanisms are supported:
|
C_Decrypt() | |
C_DecryptUpdate() | Multiple-part decryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
C_DecryptFinal() | Multiple-part decryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
Message digesting functions: | |
C_DigestInit() | The following mechanisms are supported:
|
C_Digest() | |
C_DigestUpdate() | |
C_DigestFinal() | |
Signing and message authentication coding (MACing) functions: | |
C_SignInit() | The following mechanisms are supported:
|
C_Sign() | |
C_SignUpdate() | Multiple-part signature is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
C_SignFinal() | Multiple-part signature is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
Functions for verifying signatures and message authentication codes (MACs): | |
C_VerifyInit() | The following mechanisms are supported:
|
C_Verify() | |
C_VerifyUpdate() | Multiple-part verify is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
C_VerifyFinal() | Multiple-part verify is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms. |
Key management functions: | |
C_DeriveKey() | The following mechanisms are supported:
|
C_GenerateKey() | The following mechanisms are supported:
|
C_GenerateKeyPair() | The following mechanisms are supported:
|
C_WrapKey() | The following mechanisms are supported for
wrapping secret keys:
The following mechanisms are supported for wrapping private
keys:
Clear keys may not be used to wrap secure keys and secure keys may not be used to wrap clear keys. One exception: Clear RSA public keys may be used to perform a non-attribute bound wrap of secure secret keys. |
C_UnwrapKey() | The following mechanisms are supported for
unwrapping secret keys:
The following mechanisms are supported for unwrapping
private keys:
|
Random number generation functions: | |
C_SeedRandom() | This function always returns the value CKR_RANDOM_SEED_NOT_SUPPORTED because the z/OS® hardware random number generator is self-seeding. |
C_GenerateRandom() |