Constructs PKCS#7 SignedData structures for Apple Wallet pass signing.
Uses only Erlang/OTP's :public_key and :crypto — no external dependencies.
Summary
Functions
Returns true if the signer certificate carries Apple's NFC pass entitlement
(extension OID 1.2.840.113635.100.6.1.26 — the "Pass Type ID with NFC"
certificate).
Signs data and produces a DER-encoded PKCS#7 SignedData structure.
Functions
Returns true if the signer certificate carries Apple's NFC pass entitlement
(extension OID 1.2.840.113635.100.6.1.26 — the "Pass Type ID with NFC"
certificate).
Apple Wallet rejects any pass that declares an nfc dictionary unless it is
signed by such a certificate, so callers should use this to decide whether to
emit the stanza. When Apple grants NFC and the reissued certificate is
installed, this flips to true with no further code changes.
The result is memoized in :persistent_term (keyed by a hash of the PEM), so
the certificate is parsed — and the detection logged — at most once per
distinct credential per VM.
Signs data and produces a DER-encoded PKCS#7 SignedData structure.
data— the binary content to sign (manifest JSON for Apple Wallet)cert_pem— PEM-encoded signer certificatekey_pem— PEM-encoded private key for the signerextra_certs_pem— PEM-encoded additional certificates (e.g., WWDR)
Returns {:ok, der_binary} or {:error, reason}.