Flags defined for Token Info "Flags" field from "pkcsconf -t":

/* The flags parameter is defined as follows:
 *      Bit Flag                    	Mask        Meaning
 */
#define CKF_RNG                     	0x00000001  /* has random # generator */
#define CKF_WRITE_PROTECTED         	0x00000002  /* token is write-protected */
#define CKF_LOGIN_REQUIRED          	0x00000004  /* user must login */
#define CKF_USER_PIN_INITIALIZED    	0x00000008  /* normal user's PIN is set */

/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
 * that means that *every* time the state of cryptographic
 * operations of a session is successfully saved, all keys
 * needed to continue those operations are stored in the state */
#define CKF_RESTORE_KEY_NOT_NEEDED  	0x00000020

/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
 * that the token has some sort of clock.  The time on that
 * clock is returned in the token info structure */
#define CKF_CLOCK_ON_TOKEN          	0x00000040

/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
 * set, that means that there is some way for the user to login
 * without sending a PIN through the Cryptoki library itself */
#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100

/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
 * that means that a single session with the token can perform
 * dual simultaneous cryptographic operations (digest and encrypt;
 * decrypt and digest; sign and encrypt; and decrypt and sign) */
#define CKF_DUAL_CRYPTO_OPERATIONS  	0x00000200

/* CKF_TOKEN_INITIALIZED is new for v2.11. If it is true, the
 * token has been initialized using C_InitializeToken or an
 * equivalent mechanism outside the scope of this standard.
 * Calling C_InitializeToken when this flag is set will cause
 * the token to be reinitialized. */
#define CKF_TOKEN_INITIALIZED		0x00000400

/* CKF_SECONDARY_AUTHENTICATION is new for v2.11.  If it is
 * true, the token supports secondary authentication for private
 * key objects. According to the 2.11 spec pg. 45, this flag
 * is deprecated and this flags should never be true. */
#define CKF_SECONDARY_AUTHENTICATION	0x00000800

/* CKF_USER_PIN_COUNT_LOW is new in v2.11.  This flag is true
 * is an incorrect user PIN has been entered at least once
 * since the last successful authentication. */
#define CKF_USER_PIN_COUNT_LOW		0x00010000

/* CKF_USER_PIN_FINAL_TRY is new in v2.11.  This flag is true if
 * supplying an incorrect user PIN will cause it to become locked. */
#define CKF_USER_PIN_FINAL_TRY		0x00020000

/* CKF_USER_PIN_LOCKED is new in v2.11.  This is true if the user
 * PIN has been locked.  User login to the token is not possible. */
#define CKF_USER_PIN_LOCKED		0x00040000

/* CKF_USER_PIN_TO_BE_CHANGED is new in v2.11.  This flag is true if
 * the user PIN value is the default value set by token initialization
 * of manufacturing, or the PIN has been expired by the card. */
#define CKF_USER_PIN_TO_BE_CHANGED	0x00080000

/* CKF_SO_PIN_COUNT_LOW is new in v2.11.  This flag is true if
 * and incorrect SO login PIN has been entered at least once
 * since the last successful authentication. */
#define CKF_SO_PIN_COUNT_LOW		0x00100000

/* CKF_SO_PIN_FINAL_TRY is new in v2.11.  This flag is true if
 * supplying an incorrect SO PIN will cause it to become locked. */
#define CKF_SO_PIN_FINAL_TRY		0x00200000

/* CKF_SO_PIN_LOCKED is new in v2.11.  This flag is true if the
 * SO PIN has been locked.  User login to the token is not possible. */
#define CKF_SO_PIN_LOCKED		0x00400000

/* CKF_SO_PIN_TO_BE_CHANGED is new in v2.11. This flag is true if the SO PIN 
 * value is the default value set by token initialization of manufacturing,
 * or the PIN has been expired by the card. */
#define CKF_SO_PIN_TO_BE_CHANGED	0x00800000

/*  other IBM extended Token info Flags 05/29/99  */
#define CKF_SO_PIN_DERIVED          0x01000000  // Sec Officer pin on card is derived from card id
#define CKF_SO_CARD                 0x02000000  // Security Officer Card
/* End of IBM extented Token Info Flags   */