# pkcs11ex v0.1.0 - Table of Contents

Hardware-backed digital signatures for Elixir, via PKCS#11. Layered library with first-class adapters for JWS (RFC 7797), PDF (PAdES), and XML (XML-DSig / XAdES). Backed by HSMs and hardware tokens through a Rust/Rustler bridge.

## Pages

- [pkcs11ex](readme.md)
- [pkcs11ex changelog](changelog.md)
- [Technical Specification: pkcs11ex](specs.md)
- [Public API Specification: pkcs11ex](api.md)

## Modules

- [Pkcs11ex.PKCS12.Bundle](Pkcs11ex.PKCS12.Bundle.md): A parsed PKCS#12 bundle.
- [Pkcs11ex.Slot.Pool](Pkcs11ex.Slot.Pool.md): Round-robin dispatcher for multi-session slot pools.
- [Pkcs11ex.Slot.Server](Pkcs11ex.Slot.Server.md): GenServer that owns a single slot's PKCS#11 module + persistent session.

- Layer 2 — Primitives
  - [Pkcs11ex](Pkcs11ex.md): Hardware-backed digital signatures for Elixir, via PKCS#11.

- Signer (SignCore.Signer impl)
  - [Pkcs11ex.Signer](Pkcs11ex.Signer.md): PKCS#11 implementation of the `SignCore.Signer` protocol.

- Convenience wrappers
  - [Pkcs11ex.JWS](Pkcs11ex.JWS.md): Convenience wrapper around `SignCore.JWS` pre-configured with the
PKCS#11 signer. Supports both detached (RFC 7797, default) and
attached (RFC 7515) JWS via the `attached: true` opt; supports
optional `:x5c` when a `kid` extra-header is supplied (verifier
resolves the cert via `:kid_certs`).

  - [Pkcs11ex.PDF](Pkcs11ex.PDF.md): Convenience wrapper around `SignCore.PDF` pre-configured with the
PKCS#11 signer.
  - [Pkcs11ex.X509](Pkcs11ex.X509.md): Backwards-compat alias for `SignCore.X509`. The struct, types,
and functions live in `sign_core` post-monorepo-split; this module
re-exposes them under the historical `Pkcs11ex.X509` name so
callers don't have to update their `alias` lines.

  - [Pkcs11ex.XML](Pkcs11ex.XML.md): Convenience wrapper around `SignCore.XML` pre-configured with the
PKCS#11 signer. Same shape as `Pkcs11ex.PDF`.

- Operational
  - [Pkcs11ex.Config](Pkcs11ex.Config.md): Configuration schema and validator for `pkcs11ex`.
  - [Pkcs11ex.PIN](Pkcs11ex.PIN.md): PIN-handling helpers.
  - [Pkcs11ex.PKCS12](Pkcs11ex.PKCS12.md): Read-only loader for PKCS#12 (`.p12` / `.pfx`) bundles.
  - [Pkcs11ex.Slot](Pkcs11ex.Slot.md): Public operational surface for configured slots.

- Exceptions
  - [Pkcs11ex.Error](Pkcs11ex.Error.md): Library exception used for `!`-variant raises and for configuration failures
that prevent the OTP application from starting.

## Mix Tasks

- [mix pkcs11ex.import_p12](Mix.Tasks.Pkcs11ex.ImportP12.md): Imports the private key + leaf certificate from a PKCS#12 (`.p12` / `.pfx`)
bundle into a configured PKCS#11 slot.