# ex_icao_vds v0.3.2 - Table of Contents

ICAO VDS-NC (Visible Digital Seal) issuance and verification library

## Pages

- Guide
  - [ex_icao_vds](readme.md)

## Modules

- [ExIcaoVds.C40](ExIcaoVds.C40.md): C40 encoding and decoding for ICAO VDS header fields.
- [ExIcaoVds.Length](ExIcaoVds.Length.md): Variable-length encoding used in VDS TLV fields.

- Public API
  - [ExIcaoVds](ExIcaoVds.md): ICAO Visible Digital Seal (VDS) library.

- Profiles
  - [ExIcaoVds.Profile](ExIcaoVds.Profile.md): Behaviour for VDS document profiles, plus the `defprofile do` DSL for
defining profiles with `use ExIcaoVds.Profile`.
  - [ExIcaoVds.Profiles.ETA.V1](ExIcaoVds.Profiles.ETA.V1.md): Example eTA (Electronic Travel Authorization) profile v1.
  - [ExIcaoVds.Profiles.Generic](ExIcaoVds.Profiles.Generic.md): Declarative generic profile. Field definitions are supplied via config or
runtime opts rather than a custom module.
  - [ExIcaoVds.Profiles.MRTD.V1](ExIcaoVds.Profiles.MRTD.V1.md): MRTD (Machine Readable Travel Document) VDS profile v1.

- Signers
  - [ExIcaoVds.Signer](ExIcaoVds.Signer.md): Behaviour for signing backends.
  - [ExIcaoVds.Signers.LocalKey](ExIcaoVds.Signers.LocalKey.md): Signer backed by local key material (PEM private key or raw EC key bytes).
  - [ExIcaoVds.Signers.PKCS11](ExIcaoVds.Signers.PKCS11.md): Signing backend using PKCS#11 tokens (HSMs, smartcards, SoftHSM) via the
`p11ex` library.
  - [ExIcaoVds.Signers.Vault](ExIcaoVds.Signers.Vault.md): Signing backend using HashiCorp Vault Transit secrets engine.

- Trust Resolvers
  - [ExIcaoVds.TrustResolver](ExIcaoVds.TrustResolver.md): Behaviour for resolving signer trust material from a VDS header.
  - [ExIcaoVds.TrustResolvers.DatabaseStore](ExIcaoVds.TrustResolvers.DatabaseStore.md): Trust resolver backed by an Ecto repo.
  - [ExIcaoVds.TrustResolvers.FileCertificateStore](ExIcaoVds.TrustResolvers.FileCertificateStore.md): Trust resolver that loads X.509 certificates from PEM files on disk.
  - [ExIcaoVds.TrustResolvers.FileKeyStore](ExIcaoVds.TrustResolvers.FileKeyStore.md): Trust resolver that loads public keys from PEM files on disk.
  - [ExIcaoVds.TrustResolvers.HttpStore](ExIcaoVds.TrustResolvers.HttpStore.md): Trust resolver that fetches public keys from a remote HTTP endpoint.
  - [ExIcaoVds.TrustResolvers.StaticCertificateStore](ExIcaoVds.TrustResolvers.StaticCertificateStore.md): Trust resolver backed by an in-memory map of DER-encoded X.509 certificates.
  - [ExIcaoVds.TrustResolvers.StaticKeyStore](ExIcaoVds.TrustResolvers.StaticKeyStore.md): Trust resolver backed by an in-memory map of public keys.

- Carriers
  - [ExIcaoVds.Carrier](ExIcaoVds.Carrier.md): Behaviour for visible carrier backends (Data Matrix, QR, Aztec, PDF417).
  - [ExIcaoVds.Carriers.Aztec](ExIcaoVds.Carriers.Aztec.md): Aztec Code carrier adapter backed by the Zint CLI tool.
  - [ExIcaoVds.Carriers.DataMatrix](ExIcaoVds.Carriers.DataMatrix.md): Data Matrix carrier adapter backed by the Zint CLI tool.
  - [ExIcaoVds.Carriers.PDF417](ExIcaoVds.Carriers.PDF417.md): PDF417 carrier adapter backed by the Zint CLI tool.
  - [ExIcaoVds.Carriers.QR](ExIcaoVds.Carriers.QR.md): QR Code carrier — pure Elixir, no external dependencies.

- Encryption
  - [ExIcaoVds.Crypto.HPKE](ExIcaoVds.Crypto.HPKE.md): RFC 9180 HPKE Base Mode: DHKEM(P-256, HKDF-SHA256) + HKDF-SHA256 + AES-256-GCM.
  - [ExIcaoVds.Encryptor](ExIcaoVds.Encryptor.md): Behaviour for optional field-level encryption inside the VDS message zone.
  - [ExIcaoVds.Encryptors.HPKE](ExIcaoVds.Encryptors.HPKE.md): Field-level HPKE encryptor using RFC 9180 Base Mode.
  - [ExIcaoVds.Encryptors.None](ExIcaoVds.Encryptors.None.md): No-op encryptor for profiles that do not use field-level encryption.

- Capacity Planning
  - [ExIcaoVds.Capacity](ExIcaoVds.Capacity.md): Carrier capacity estimation and runtime preflight checks.
  - [ExIcaoVds.CapacityEstimate](ExIcaoVds.CapacityEstimate.md): Result of design-time capacity estimation for a VDS profile.
  - [ExIcaoVds.CapacityPreflight](ExIcaoVds.CapacityPreflight.md): Result of a runtime preflight carrier capacity check.

- Data Structures
  - [ExIcaoVds.EncryptionOutput](ExIcaoVds.EncryptionOutput.md): Encryption metadata returned by `ExIcaoVds.issue/2` when field-level encryption
is configured.
  - [ExIcaoVds.Error](ExIcaoVds.Error.md): Structured error type returned by all public API functions.
  - [ExIcaoVds.Feature](ExIcaoVds.Feature.md): A single data field within a VDS message zone.
  - [ExIcaoVds.Header](ExIcaoVds.Header.md): VDS header struct and binary encoder/decoder.
  - [ExIcaoVds.IssuedSeal](ExIcaoVds.IssuedSeal.md): Result returned by `ExIcaoVds.issue/2`.
  - [ExIcaoVds.MessageZone](ExIcaoVds.MessageZone.md): VDS message zone: an ordered list of TLV-encoded feature fields.
  - [ExIcaoVds.Signature](ExIcaoVds.Signature.md): Signature produced by a Signer backend.
  - [ExIcaoVds.SignatureZone](ExIcaoVds.SignatureZone.md): VDS signature zone struct and binary encoder/decoder.
  - [ExIcaoVds.VerificationResult](ExIcaoVds.VerificationResult.md): Result returned by `ExIcaoVds.verify/2`.

- Pipelines
  - [ExIcaoVds.Codec](ExIcaoVds.Codec.md): Full VDS encode/decode: assembles and parses complete VDS byte sequences.
  - [ExIcaoVds.SealIssuer](ExIcaoVds.SealIssuer.md): Issuance pipeline: validates input, builds header + message zone, signs,
assembles the complete VDS binary, and optionally renders a carrier.
  - [ExIcaoVds.SignatureVerifier](ExIcaoVds.SignatureVerifier.md): Verifies a VDS signature against trust material resolved by a `TrustResolver`.
  - [ExIcaoVds.Verifier](ExIcaoVds.Verifier.md): Verification pipeline: parses a VDS binary, resolves trust material,
verifies the signature, decodes features, and runs policy checks.

- Behaviours &amp; Extension Points
  - [ExIcaoVds.AuditLogger](ExIcaoVds.AuditLogger.md): Behaviour for audit logging. Wire in a custom logger to persist issuance
and verification audit trails without hard-wiring storage into the library.
  - [ExIcaoVds.AuditLoggers.Noop](ExIcaoVds.AuditLoggers.Noop.md): No-op audit logger. Events are discarded silently.
  - [ExIcaoVds.Clock](ExIcaoVds.Clock.md): Behaviour for time sources. Inject `ExIcaoVds.Clocks.Fixed` in tests to
produce deterministic timestamps.

  - [ExIcaoVds.Clocks.Fixed](ExIcaoVds.Clocks.Fixed.md): Deterministic clock for tests. Provide `:date` and `:datetime` in opts.
  - [ExIcaoVds.Clocks.System](ExIcaoVds.Clocks.System.md): Clock implementation backed by the system clock.
  - [ExIcaoVds.Policies.Default](ExIcaoVds.Policies.Default.md): Default policy checks applied after signature verification.
  - [ExIcaoVds.Policy](ExIcaoVds.Policy.md): Behaviour for document-level business rule checks applied after signature
verification. Policies are separate from cryptographic validity.

- Configuration
  - [ExIcaoVds.Config](ExIcaoVds.Config.md): Configuration loading, merging, and secret resolution.

## Mix Tasks

- [mix ex_icao_vds.tag](Mix.Tasks.ExIcaoVds.Tag.md): Creates an annotated git tag that matches the version in `mix.exs`.
- [mix ex_icao_vds.version](Mix.Tasks.ExIcaoVds.Version.md): Bumps the package version in `mix.exs` and updates the dependency snippet in `README.md`.

