ETS-backed SNS X.509 certificate cache for SES webhook signature verification.
Caches RSA public key terms extracted from AWS SNS signing certificates,
keyed by SigningCertURL. Prevents repeated :httpc network calls for the
same certificate (D-10, D-12).
Cache entries expire after a configurable TTL (default 24 hours). Expiry is
checked lazily during fetch_public_key/1 — no background timer or sweep.
Usage
# On cache miss in SES provider:
case CertCache.fetch_public_key(cert_url) do
{:ok, public_key} -> public_key
:miss ->
public_key = fetch_and_extract_public_key!(cert_url)
expires_at = DateTime.add(Mailglass.Clock.utc_now(), ttl_seconds, :second)
CertCache.put(cert_url, public_key, expires_at)
public_key
endSummary
Functions
Fetches the cached RSA public key term for url.
Inserts public_key into the cache keyed by url with expiry expires_at.
Functions
Fetches the cached RSA public key term for url.
Returns {:ok, public_key} on cache hit within TTL, :miss on cache miss
or if the cached entry has expired. Expired entries are evicted from ETS
before returning :miss.
@spec put(binary(), term(), DateTime.t()) :: :ok
Inserts public_key into the cache keyed by url with expiry expires_at.
Overwrites any existing entry for the same URL. The public_key term is
whatever :public_key.verify/4 accepts as its fourth argument — typically
an {:RSAPublicKey, n, e} record extracted from an X.509 certificate.
@spec reset() :: :ok
@spec table() :: :mailglass_webhook_ses_cert_cache