Pkcs11ex.Slot (pkcs11ex v0.1.0)

Copy Markdown View Source

Public operational surface for configured slots.

Each slot in config :pkcs11ex, :slots maps to a Pkcs11ex.Slot.Server GenServer started under Pkcs11ex.SlotSupervisor. This module exposes the caller-facing API.

Phase 2 step 1 surface

Sign / verify here are the slot-aware path with persistent sessions — one PKCS#11 session per slot, reused across calls. Compare with Pkcs11ex.sign_bytes/2 / verify_bytes/4 which take an explicit module + slot_id and open a new session per call (the Phase 1 path).

Step 3 unifies these by routing Pkcs11ex.sign_bytes/2 through this module whenever a :signer opt is provided.

Summary

Types

state()

State exposed by status/1.

Functions

list()

List all running slot servers along with their state.

login(slot_ref, pin)

Explicit one-shot login. Use this when bypassing a configured pin_callback (e.g., in scripts or tests). The PIN is consumed once; the next sign call reuses the logged-in session.

logout(slot_ref)

Explicit logout. Closes the PKCS#11 user session but keeps the underlying session resource open for reuse (next sign call will need a PIN again).

sign(slot_ref, key_label, mechanism, data, opts \\ [])

Sign data with key_label on slot_ref. The PIN is taken from opts[:pin] if the slot isn't already logged in. Subsequent calls reuse the logged-in session.

status(slot_ref)

Returns the slot's current state (:uninitialized, :open, or :logged_in).

verify(slot_ref, key_label, mechanism, data, signature, opts \\ [])

Verify a signature on slot_ref.

Types

state()

@type state() :: :uninitialized | :open | :logged_in

State exposed by status/1.

Functions

list()

@spec list() :: [%{ref: atom(), state: state()}]

List all running slot servers along with their state.

login(slot_ref, pin)

@spec login(atom(), binary()) :: :ok | {:error, term()}

Explicit one-shot login. Use this when bypassing a configured pin_callback (e.g., in scripts or tests). The PIN is consumed once; the next sign call reuses the logged-in session.

logout(slot_ref)

@spec logout(atom()) :: :ok | {:error, term()}

Explicit logout. Closes the PKCS#11 user session but keeps the underlying session resource open for reuse (next sign call will need a PIN again).

sign(slot_ref, key_label, mechanism, data, opts \\ [])

@spec sign(atom(), String.t(), atom(), iodata(), keyword()) ::
  {:ok, binary()} | {:error, term()}

Sign data with key_label on slot_ref. The PIN is taken from opts[:pin] if the slot isn't already logged in. Subsequent calls reuse the logged-in session.

Mechanism is the algorithm's PKCS#11 mechanism atom (e.g., :ck_sha256_rsa_pkcs_pss for PS256 — see SignCore.Algorithm.PS256.signing_mechanism/0).

status(slot_ref)

@spec status(atom()) :: state()

Returns the slot's current state (:uninitialized, :open, or :logged_in).

verify(slot_ref, key_label, mechanism, data, signature, opts \\ [])

@spec verify(atom(), String.t(), atom(), iodata(), binary(), keyword()) ::
  :ok | {:error, term()}

Verify a signature on slot_ref.