Pkcs11ex.JWS (pkcs11ex v0.1.0)

Copy Markdown View Source

Convenience wrapper around SignCore.JWS pre-configured with the PKCS#11 signer. Supports both detached (RFC 7797, default) and attached (RFC 7515) JWS via the attached: true opt; supports optional :x5c when a kid extra-header is supplied (verifier resolves the cert via :kid_certs).

Summary

Functions

sign(payload, opts)

Sign via the configured PKCS#11 slot.

verify(jws, payload \\ nil, opts \\ [])

Verify. Delegates to SignCore.JWS.verify/3 — auto-detects detached vs attached from the JWS wire format. For detached, pass the payload as the second arg. For attached, pass nil (or the payload, which will be cross-checked).

Functions

sign(payload, opts)

@spec sign(
  iodata(),
  keyword()
) :: {:ok, binary()} | {:error, term()}

Sign via the configured PKCS#11 slot.

Defaults to detached (RFC 7797). Pass attached: true for RFC 7515 attached form (payload encoded in the middle segment).

verify(jws, payload \\ nil, opts \\ [])

@spec verify(binary(), iodata() | nil, keyword()) :: {:ok, term()} | {:error, term()}

Verify. Delegates to SignCore.JWS.verify/3 — auto-detects detached vs attached from the JWS wire format. For detached, pass the payload as the second arg. For attached, pass nil (or the payload, which will be cross-checked).