Configuration schema and validator for pkcs11ex.
See docs/specs/api.md §1 for the canonical schema. This module is the
authoritative implementation of that schema. Boot-time validation runs from
Pkcs11ex.Application.start/2; bad configuration prevents the OTP
application from starting.
Two-stage validation:
- Schema validation via
NimbleOptions— type-checks every key. - Cross-field invariants — the eleven rules documented in
api.md§1.5 (allowlist non-empty, default_slot exists, pin_callback rules, key/cert exclusivity, driver existence, driver pin SHA-256 match, etc.).
All failures raise Pkcs11ex.Error with reason: :invalid_config and a
:path indicating the offending config key.
Summary
Functions
Loads, validates, and structures the configuration.
Returns the canonical NimbleOptions schema (top-level only).
Types
@type alg() :: :PS256 | :RS256 | :ES256 | :EdDSA
@type slot_type() :: :cloud_hsm | :token | :soft_hsm
@type t() :: %Pkcs11ex.Config{ algorithms: %{optional(atom()) => module()}, allowed_algs: [alg(), ...], default_slot: atom() | nil, driver_pins: %{optional(String.t()) => String.t()}, session_timeout: non_neg_integer(), signature_header: String.t(), slots: keyword(), telemetry_prefix: [atom()], trust_policy: module() }
Functions
Loads, validates, and structures the configuration.
Options
:env— keyword list to validate. Defaults toApplication.get_all_env(:pkcs11ex).:check_files— whentrue(default), validates that each slot's driver exists on disk and that any:driver_pinsSHA-256 matches the on-disk file. Tests passfalseto skip these checks.
Errors
Raises Pkcs11ex.Error with reason: :invalid_config on any failure. The
exception's :path indicates the offending config key.
@spec schema() :: keyword()
Returns the canonical NimbleOptions schema (top-level only).