ExIcaoVds.Signer behaviour (ex_icao_vds v0.3.2)

Copy Markdown

Behaviour for signing backends.

Implement this to support local keys, Vault Transit, PKCS#11, or any custom signing service. The signer receives the raw bytes to sign and must not modify them (hashing is the signer's responsibility).

Summary

Callbacks

algorithm(signer_config)

Return the algorithm atom for this signer config.

key_reference(signer_config)

Return the key reference string.

public_metadata(signer_config)

Return public metadata (safe to log) about this signer.

sign(payload, signer_config, opts)

Sign payload bytes using the given signer_config.

signer_identifier(signer_config)

Return the signer identifier string.

Callbacks

algorithm(signer_config)

@callback algorithm(signer_config :: map()) :: atom()

Return the algorithm atom for this signer config.

key_reference(signer_config)

@callback key_reference(signer_config :: map()) :: String.t() | nil

Return the key reference string.

public_metadata(signer_config)

@callback public_metadata(signer_config :: map()) :: map()

Return public metadata (safe to log) about this signer.

sign(payload, signer_config, opts)

@callback sign(payload :: binary(), signer_config :: map(), opts :: keyword()) ::
  {:ok, ExIcaoVds.Signature.t()} | {:error, ExIcaoVds.Error.t()}

Sign payload bytes using the given signer_config.

signer_identifier(signer_config)

@callback signer_identifier(signer_config :: map()) :: String.t() | nil

Return the signer identifier string.