Standard functions supported

Table 1 lists the standard PKCS #11 functions that ICSF supports. Any function not listed is not supported and returns the CKR_FUNCTION_NOT_SUPPORTED return code.

Table 1. Standard PKCS #11 functions that ICSF supports. The Standard PKCS #11 functions that ICSF supports table is presented by type of function.
Function	Usage notes
General purpose functions:
C_Initialize()	The library always uses OS locking for thread serialization. Therefore, if C_Initialize is called with the CreateMutex, DestroyMutex, LockMutex, and UnlockMutex function pointer arguments set and the CKF_OS_LOCKING_OK flag is not set, C_Initialize fails and returns the value CKR_CANT_LOCK. When C_Initialize is called, the application-specific set of (virtual) slot IDs is allocated, one for each preexisting token that the application is authorized to use. (See the descriptions of C_GetSlotList and C_WaitForSlotEvent for information on how this set can increase in size.) The one exception to this occurs when C_Initialize is called by a child process after fork. If the PKCS #11 environment is inherited by the child process, the slot list and token state is not refreshed.
C_Finalize()	dlclose() cannot be used as an implicit C_Finalize(). If an application uses dlclose() without calling C_Finalize(), and reinitializes PKCS #11, a subsequent call to C_Initialize() will result in error CKR_FUNCTION_FAILED being returned.
C_GetInfo()
C_GetFunctionList()
Slot and token management functions:
C_GetSlotList()	If the pSlotList argument is NULL, this function returns only the number of allocated slots. In the process of returning this number C_GetSlotList searches for new tokens to which the application has access. If new tokens are found, slot IDs are allocated for them. This search is only performed if at least 5 seconds has passed since the last search was made. If the pSlotList argument is non-NULL, this function returns the current list of virtual slot IDs. No attempt is made to discover new tokens created by other applications. The tokenPresent argument flag is meaningless as all allocated slots have a token present.
C_GetSlotInfo()
C_GetTokenInfo()
C_WaitForSlotEvent()	This function is used to dynamically allocate an additional slot in order to create a new token. There are no other slot events. The newly allocated slot ID is returned as the pSlot argument. The CKF_DONT_BLOCK argument flag is meaningless because this function never blocks. The dynamic slot allocation occurs synchronously.
C_GetMechanismList()	The list of functions returned reflects the capabilities of the current cryptographic hardware configuration. Note: The loss or addition of hardware on the fly is not detected or reflected. (For example, on a z9-109, if the only CEX2C present is deactivated, this function still returns the mechanisms that require an active CEX2C to function.)
C_GetMechanismInfo()	The output of this function reflects the capabilities of the current cryptographic hardware configuration.
C_InitToken()	Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. The pPin and ulPinLen arguments are ignored.
C_InitPIN()	Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. This function performs no operation and always returns CKR_OK.
C_SetPIN()	Tokens are protected by the security manager through profiles in the CRYPTOZ class. PINs are not used. This function performs no operation and always returns CKR_OK.
Session management functions:
C_OpenSession()	The Notify and pApplication arguments are ignored.
C_CloseSession()
C_CloseAllSessions()
C_GetSessionInfo()	The state field returned is meaningless. It is always set to CK_UNAVAILABLE_INFORMATION.
C_GetOperationState()	Returns CKR_STATE_UNSAVEABLE if a find is active or more than one cryptographic operation is active.
C_SetOperationState()
C_Login()	Tokens are protected by the security manager through profiles in the CRYPTOZ class. Applications are always logged in to the security manager. PINs are not used. This function has no effect on the session state and always returns CKR_OK.
C_Logout()	Tokens are protected by the security manager through profiles in the CRYPTOZ class. Applications are always logged in to the security manager. PINs are not used. This function has no effect on the session state and always returns CKR_OK.
Object management functions:
C_CreateObject()
C_CopyObject()
C_DestroyObject()
C_GetObjectSize()
C_GetAttributeValue()
C_SetAttributeValue()
C_FindObjectsInit()
C_FindObjects()	Sensitive attributes cannot be used as search criteria when the object is marked sensitive or not exportable. Doing so results in no match found.
C_FindObjectsFinal()
Encryption functions:
C_EncryptInit()	The following mechanisms are supported: CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_RSA_PKCS CKM_RSA_X_509 CKM_AES_CBC CKM_AES_ECB CKM_AES_CBC_PAD CKM_AES_GCM (Limited to single part encryption only and for no more than 1048576 bytes of clear text.) CKM_BLOWFISH_CBC CKM_RC4 A secure key may not be used for processing rule GCM or GCMIVGEN.
C_Encrypt()
C_EncryptUpdate()	Multiple-part encryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms
C_EncryptFinal()	Multiple-part encryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
Decryption functions:
C_DecryptInit()	The following mechanisms are supported: CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_RSA_PKCS CKM_RSA_X_509 CKM_AES_CBC CKM_AES_ECB CKM_AES_CBC_PAD CKM_AES_GCM (Limited to single part decryption only and for no more than 1048576 bytes of clear text.) CKM_BLOWFISH_CBC CKM_RC4 A secure key may not be used for processing rule GCM.
C_Decrypt()
C_DecryptUpdate()	Multiple-part decryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
C_DecryptFinal()	Multiple-part decryption is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
Message digesting functions:
C_DigestInit()	The following mechanisms are supported: CKM_MD2 CKM_MD5 CKM_SHA_1 CKM_SHA224 CKM_SHA256 CKM_SHA384 CKM_SHA512 CKM_RIPEMD160
C_Digest()
C_DigestUpdate()
C_DigestFinal()
Signing and message authentication coding (MACing) functions:
C_SignInit()	The following mechanisms are supported: CKM_RSA_X_509 CKM_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_SHA224_RSA_PKCS CKM_SHA256_RSA_PKCS CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_DSA CKM_DSA_SHA1 CKM_MD5_HMAC CKM_SHA_1_HMAC CKM_SHA224_HMAC CKM_SHA256_HMAC CKM_SHA384_HMAC CKM_SHA512_HMAC CKM_SSL3_MD5_MAC CKM_SSL3_SHA1_MAC CKM_MD2_RSA_PKCS CKM_ECDSA CKM_ECDSA_SHA1 CKM_RSA_PKCS_PSS CKM_SHA1_RSA_PKCS_PSS CKM_SHA224_RSA_PKCS_PSS CKM_SHA256_RSA_PKCS_PSS CKM_SHA384_RSA_PKCS_PSS CKM_SHA512_RSA_PKCS_PSS
C_Sign()
C_SignUpdate()	Multiple-part signature is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
C_SignFinal()	Multiple-part signature is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
Functions for verifying signatures and message authentication codes (MACs):
C_VerifyInit()	The following mechanisms are supported: CKM_RSA_X_509 CKM_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_SHA224_RSA_PKCS CKM_SHA256_RSA_PKCS CKM_SHA384_RSA_PKCS CKM_SHA512_RSA_PKCS CKM_DSA CKM_DSA_SHA1 CKM_MD5_HMAC CKM_SHA_1_HMAC CKM_SHA224_HMAC CKM_SHA256_HMAC CKM_SHA384_HMAC CKM_SHA512_HMAC CKM_SSL3_MD5_MAC CKM_SSL3_SHA1_MAC CKM_MD2_RSA_PKCS CKM_ECDSA CKM_ECDSA_SHA1 CKM_RSA_PKCS_PSS CKM_SHA1_RSA_PKCS_PSS CKM_SHA224_RSA_PKCS_PSS CKM_SHA256_RSA_PKCS_PSS CKM_SHA384_RSA_PKCS_PSS CKM_SHA512_RSA_PKCS_PSS
C_Verify()
C_VerifyUpdate()	Multiple-part verify is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
C_VerifyFinal()	Multiple-part verify is not supported for the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms.
Key management functions:
C_DeriveKey()	The following mechanisms are supported: CKM_DH_PKCS_DERIVE CKM_SSL3_MASTER_KEY_DERIVE CKM_SSL3_MASTER_KEY_DERIVE_DH CKM_SSL3_KEY_AND_MAC_DERIVE CKM_TLS_MASTER_KEY_DERIVE CKM_TLS_MASTER_KEY_DERIVE_DH CKM_TLS_KEY_AND_MAC_DERIVE CKM_TLS_PRF (It is the caller’s responsibility to supply an ASCII value for the seed) CKM_ECDH1_DERIVE The service does not support the derivation of secure keys. For mechanisms CKM_ECDH1_DERIVE and CKM_DH_PKCS_DERIVE only, the input base key may be a secure key.
C_GenerateKey()	The following mechanisms are supported: CKM_DES_KEY_GEN CKM_DES2_KEY_GEN CKM_DES3_KEY_GEN CKM_PBE_SHA1_DES3_EDE_CBC CKM_AES_KEY_GEN CKM_DSA_PARAMETER_GEN CKM_DH_PKCS_PARAMETER_GEN CKM_BLOWFISH_KEY_GEN CKM_RC4_KEY_GEN CKM_GENERIC_SECRET_KEY_GEN CKM_SSL3_PRE_MASTER_KEY_GEN CKM_TLS_PRE_MASTER_KEY_GEN
C_GenerateKeyPair()	The following mechanisms are supported: CKM_RSA_PKCS_KEY_PAIR_GEN CKM_DSA_KEY_PAIR_GEN CKM_DH_PKCS_KEY_PAIR_GEN CKM_EC_KEY_PAIR_GEN
C_WrapKey()	The following mechanisms are supported for wrapping secret keys: CKM_RSA_PKCS CKM_DES_CBC_PAD CKM_DES3_CBC_PAD CKM_AES_CBC_PAD CKM_IBM_ATTRIBUTEBOUND_WRAP The following mechanisms are supported for wrapping private keys: CKM_DES_CBC_PAD CKM_DES3_CBC_PAD CKM_AES_CBC_PAD CKM_IBM_ATTRIBUTEBOUND_WRAP Clear keys may not be used to wrap secure keys and secure keys may not be used to wrap clear keys. One exception: Clear RSA public keys may be used to perform a non-attribute bound wrap of secure secret keys.
C_UnwrapKey()	The following mechanisms are supported for unwrapping secret keys: CKM_RSA_PKCS CKM_DES_CBC_PAD CKM_DES3_CBC_PAD CKM_AES_CBC_PAD CKM_IBM_ATTRIBUTEBOUND_WRAP The following mechanisms are supported for unwrapping private keys: CKM_DES_CBC_PAD CKM_DES3_CBC_PAD CKM_AES_CBC_PAD CKM_IBM_ATTRIBUTEBOUND_WRAP
Random number generation functions:
C_SeedRandom()	This function always returns the value CKR_RANDOM_SEED_NOT_SUPPORTED because the z/OS® hardware random number generator is self-seeding.
C_GenerateRandom()