WalletPasses.Apple.PKCS7 (wallet_passes v0.10.0)

Copy Markdown View Source

Constructs PKCS#7 SignedData structures for Apple Wallet pass signing.

Uses only Erlang/OTP's :public_key and :crypto — no external dependencies.

Summary

Functions

alg_id(args \\ [])

(macro)

alg_id(record, args)

(macro)

content_info(args \\ [])

(macro)

content_info(record, args)

(macro)

encap_content_info(args \\ [])

(macro)

encap_content_info(record, args)

(macro)

issuer_serial(args \\ [])

(macro)

issuer_serial(record, args)

(macro)

nfc_entitled?(cert_pem)

@spec nfc_entitled?(binary()) :: boolean()

Returns true if the signer certificate carries Apple's NFC pass entitlement (extension OID 1.2.840.113635.100.6.1.26 — the "Pass Type ID with NFC" certificate).

Apple Wallet rejects any pass that declares an nfc dictionary unless it is signed by such a certificate, so callers should use this to decide whether to emit the stanza. When Apple grants NFC and the reissued certificate is installed, this flips to true with no further code changes.

The result is memoized in :persistent_term (keyed by a hash of the PEM), so the certificate is parsed — and the detection logged — at most once per distinct credential per VM.

sign(data, cert_pem, key_pem, extra_certs_pem)

@spec sign(binary(), binary(), binary(), binary()) ::
  {:ok, binary()} | {:error, term()}

Signs data and produces a DER-encoded PKCS#7 SignedData structure.

  • data — the binary content to sign (manifest JSON for Apple Wallet)
  • cert_pem — PEM-encoded signer certificate
  • key_pem — PEM-encoded private key for the signer
  • extra_certs_pem — PEM-encoded additional certificates (e.g., WWDR)

Returns {:ok, der_binary} or {:error, reason}.

signed_data(args \\ [])

(macro)

signed_data(record, args)

(macro)

signer_info_rec(args \\ [])

(macro)

signer_info_rec(record, args)

(macro)