ExIcaoVds.TrustResolvers.HttpStore
(ex_icao_vds v0.3.2)
Copy Markdown
Trust resolver that fetches public keys from a remote HTTP endpoint.
Keys are fetched on every resolve/2 call. Add a caching layer (ETS,
:persistent_term, or a GenServer) in front if you need TTL-based caching.
Supported response formats
:format | Description |
|---|---|
:jwks (default) | JSON Web Key Set — {"keys": [{kty,crv,x,y,kid,...}]} |
:pem_list | Newline-separated PEM public keys; kid matched from Comment: header or positional index |
Key lookup
For :jwks, the JWKS kid field is matched against header.key_reference.
If no kid matches, the first key in the set is used as a fallback (useful
for single-key endpoints).
Per-profile configuration
Pass the resolver opts from a profile's verify/2 config:
ExIcaoVds.verify(raw_vds, %{
verifier: %{
trust_resolver: ExIcaoVds.TrustResolvers.HttpStore,
url: "https://trust.authority.example/csca/keys.jwks",
format: :jwks,
headers: [{"Authorization", "Bearer #{token}"}]
}
})Config opts
| Key | Default | Description |
|---|---|---|
:url | — | Endpoint URL (required) |
:format | :jwks | Response format: :jwks or :pem_list |
:headers | [] | Additional HTTP request headers |
:receive_timeout | 5_000 | Request timeout in ms |
:tls_verify | :verify_peer | :verify_peer or :verify_none |
:curve | :secp256r1 | Curve atom for resolved keys |