API Reference ex_icao_vds v#0.3.2

ICAO Visible Digital Seal (VDS) library.

Behaviour for audit logging. Wire in a custom logger to persist issuance and verification audit trails without hard-wiring storage into the library.

No-op audit logger. Events are discarded silently.

C40 encoding and decoding for ICAO VDS header fields.

Carrier capacity estimation and runtime preflight checks.

Result of design-time capacity estimation for a VDS profile.

Result of a runtime preflight carrier capacity check.

Behaviour for visible carrier backends (Data Matrix, QR, Aztec, PDF417).

Aztec Code carrier adapter backed by the Zint CLI tool.

Data Matrix carrier adapter backed by the Zint CLI tool.

PDF417 carrier adapter backed by the Zint CLI tool.

QR Code carrier — pure Elixir, no external dependencies.

Behaviour for time sources. Inject ExIcaoVds.Clocks.Fixed in tests to produce deterministic timestamps.

Deterministic clock for tests. Provide :date and :datetime in opts.

Clock implementation backed by the system clock.

Full VDS encode/decode: assembles and parses complete VDS byte sequences.

Configuration loading, merging, and secret resolution.

RFC 9180 HPKE Base Mode: DHKEM(P-256, HKDF-SHA256) + HKDF-SHA256 + AES-256-GCM.

Encryption metadata returned by ExIcaoVds.issue/2 when field-level encryption is configured.

Behaviour for optional field-level encryption inside the VDS message zone.

Field-level HPKE encryptor using RFC 9180 Base Mode.

No-op encryptor for profiles that do not use field-level encryption.

Structured error type returned by all public API functions.

A single data field within a VDS message zone.

VDS header struct and binary encoder/decoder.

Result returned by ExIcaoVds.issue/2.

Variable-length encoding used in VDS TLV fields.

VDS message zone: an ordered list of TLV-encoded feature fields.

Default policy checks applied after signature verification.

Behaviour for document-level business rule checks applied after signature verification. Policies are separate from cryptographic validity.

Behaviour for VDS document profiles, plus the defprofile do DSL for defining profiles with use ExIcaoVds.Profile.

Example eTA (Electronic Travel Authorization) profile v1.

Declarative generic profile. Field definitions are supplied via config or runtime opts rather than a custom module.

MRTD (Machine Readable Travel Document) VDS profile v1.

Issuance pipeline: validates input, builds header + message zone, signs, assembles the complete VDS binary, and optionally renders a carrier.

Signature produced by a Signer backend.

Verifies a VDS signature against trust material resolved by a TrustResolver.

VDS signature zone struct and binary encoder/decoder.

Behaviour for signing backends.

Signer backed by local key material (PEM private key or raw EC key bytes).

Signing backend using PKCS#11 tokens (HSMs, smartcards, SoftHSM) via the p11ex library.

Signing backend using HashiCorp Vault Transit secrets engine.

Behaviour for resolving signer trust material from a VDS header.

Trust resolver backed by an Ecto repo.

Trust resolver that loads X.509 certificates from PEM files on disk.

Trust resolver that loads public keys from PEM files on disk.

Trust resolver that fetches public keys from a remote HTTP endpoint.

Trust resolver backed by an in-memory map of DER-encoded X.509 certificates.

Trust resolver backed by an in-memory map of public keys.

Result returned by ExIcaoVds.verify/2.

Verification pipeline: parses a VDS binary, resolves trust material, verifies the signature, decodes features, and runs policy checks.

Creates an annotated git tag that matches the version in mix.exs.

Bumps the package version in mix.exs and updates the dependency snippet in README.md.