ExIcaoVds.Signers.PKCS11
(ex_icao_vds v0.3.2)
Copy Markdown
Signing backend using PKCS#11 tokens (HSMs, smartcards, SoftHSM) via the
p11ex library.
Add {:p11ex, "~> 0.3"} to your application's dependencies to enable this
backend. The library must be started before use
(Application.ensure_all_started(:p11ex)).
Signing flow
Each call to sign/3 opens a fresh session, authenticates, signs, and
closes the session. For high-throughput use, consider managing a persistent
session externally and using a custom signer module.
PKCS#11 ECDSA returns the signature as raw r || s bytes (64 bytes for
P-256). This signer converts to DER format before returning so the rest of
the pipeline (encoding, verification) is transparent to the token's format.
Config keys
| Key | Description |
|---|---|
:lib_path | Path to the PKCS#11 shared library (e.g. /usr/lib/softhsm/libsofthsm2.so) |
:slot | Slot ID integer, or :first_with_token (default) |
:pin | User PIN string, or {:system, "ENV_VAR"} |
:key_label | CKA_LABEL of the private key object |
:key_id | CKA_ID of the private key (binary, used if :key_label absent) |
:algorithm | :ecdsa_p256_sha256 (default) |
:signer_identifier | Written into the VDS header |
:key_reference | Written into the VDS header |
SoftHSM2 quick start
softhsm2-util --init-token --slot 0 --label "vds" \
--pin 1234 --so-pin 0000
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \
--login --pin 1234 --keypairgen --key-type EC:prime256v1 \
--label "vds-signing-key"