Adding JWE encoding

Author: alopezo

package.json

@@ -11,7 +11,8 @@
     "test": "ng test",
     "download-ucum": "node scripts/download-ucum-units.js",
     "download-ehdsi-results": "node scripts/download-ehdsi-results-coded-value.js",
-    "download-ehdsi-lab-technique": "node scripts/download-ehdsi-lab-technique.js"
+    "download-ehdsi-lab-technique": "node scripts/download-ehdsi-lab-technique.js",
+    "generate-shl-demo": "node scripts/generate-shl-demo.js"
   },
   "private": true,
   "dependencies": {

scripts/generate-shl-demo.js

@@ -0,0 +1,90 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const rootDir = path.resolve(__dirname, '..');
+const sourcePath = path.join(rootDir, 'src/assets/data/ips-example-active-penicillin.json');
+const outDir = path.join(rootDir, 'src/assets/shl/ips-example-active-penicillin');
+const manifestPath = path.join(outDir, 'manifest.json');
+const jwePath = path.join(outDir, 'ips-example-active-penicillin.jwe');
+const metadataPath = path.join(outDir, 'demo-link-metadata.json');
+
+const toBase64Url = (input) => {
+  const buffer = Buffer.isBuffer(input) ? input : Buffer.from(input, 'utf8');
+  return buffer.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+};
+
+function encryptCompactJwe(plainText, keyBytes) {
+  const protectedHeader = { alg: 'dir', enc: 'A256GCM' };
+  const protectedHeaderB64 = toBase64Url(JSON.stringify(protectedHeader));
+
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', keyBytes, iv, { authTagLength: 16 });
+  cipher.setAAD(Buffer.from(protectedHeaderB64, 'ascii'));
+
+  const ciphertext = Buffer.concat([cipher.update(plainText, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+
+  const jweCompact = [
+    protectedHeaderB64,
+    '',
+    toBase64Url(iv),
+    toBase64Url(ciphertext),
+    toBase64Url(tag)
+  ].join('.');
+
+  return jweCompact;
+}
+
+function main() {
+  const plainText = fs.readFileSync(sourcePath, 'utf8');
+  fs.mkdirSync(outDir, { recursive: true });
+
+  const envKey = process.env.SHL_DEMO_KEY_B64URL;
+  const keyBytes = envKey
+    ? Buffer.from(envKey.replace(/-/g, '+').replace(/_/g, '/').padEnd(Math.ceil(envKey.length / 4) * 4, '='), 'base64')
+    : crypto.randomBytes(32);
+
+  if (keyBytes.length !== 32) {
+    throw new Error('SHL_DEMO_KEY_B64URL must decode to exactly 32 bytes for A256GCM');
+  }
+
+  const keyB64Url = toBase64Url(keyBytes);
+  const jweCompact = encryptCompactJwe(plainText, keyBytes);
+
+  const manifest = {
+    presentationInfo: {
+      name: 'IPS Example Active Penicillin'
+    },
+    files: [
+      {
+        contentType: 'application/fhir+json',
+        location: './ips-example-active-penicillin.jwe'
+      }
+    ]
+  };
+
+  const metadata = {
+    id: 'ips-example-active-penicillin',
+    label: 'IPS Example Active Penicillin',
+    sourceFile: 'assets/data/ips-example-active-penicillin.json',
+    manifestFile: 'assets/shl/ips-example-active-penicillin/manifest.json',
+    key: keyB64Url,
+    alg: 'dir',
+    enc: 'A256GCM'
+  };
+
+  fs.writeFileSync(jwePath, jweCompact, 'utf8');
+  fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n', 'utf8');
+  fs.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2) + '\n', 'utf8');
+
+  console.log('Generated SHL demo files:');
+  console.log(`- ${path.relative(rootDir, manifestPath)}`);
+  console.log(`- ${path.relative(rootDir, jwePath)}`);
+  console.log(`- ${path.relative(rootDir, metadataPath)}`);
+  console.log('');
+  console.log('Use this SHL key in SmartHealthLinksComponent:');
+  console.log(keyB64Url);
+}
+
+main();

src/app/benefits-demo/interoperability/interoperability.component.ts

@@ -1326,7 +1326,7 @@ export class InteroperabilityComponent implements OnInit, OnDestroy {
 
     try {
       const shlinkPayload = this.parseShlinkPayload(rawQrValue);
-      const bundle = await this.fetchBundleFromShl(shlinkPayload.url);
+      const bundle = await this.fetchBundleFromShl(shlinkPayload.url, shlinkPayload.key);
       this.validateIPSBundleOrThrow(bundle);
       this.processIPSBundleObject(bundle, 'SHL');
     } catch (error) {
@@ -1337,7 +1337,7 @@ export class InteroperabilityComponent implements OnInit, OnDestroy {
     }
   }
 
-  private parseShlinkPayload(rawQrValue: string): { url: string } {
+  private parseShlinkPayload(rawQrValue: string): { url: string; key?: string } {
     if (!rawQrValue.startsWith('shlink:/')) {
       throw new Error('Scanned QR is not a SMART Health Link (shlink:/...).');
     }
@@ -1354,20 +1354,27 @@ export class InteroperabilityComponent implements OnInit, OnDestroy {
       throw new Error('SHL payload does not contain a valid manifest URL.');
     }
 
-    return { url: payload.url };
+    if (payload.key !== undefined && typeof payload.key !== 'string') {
+      throw new Error('SHL payload key must be a base64url string.');
+    }
+
+    return { url: payload.url, key: payload.key };
   }
 
   private decodeBase64UrlToText(base64Url: string): string {
+    return new TextDecoder().decode(this.decodeBase64UrlToBytes(base64Url));
+  }
+
+  private decodeBase64UrlToBytes(base64Url: string): Uint8Array {
     const base64 = base64Url
       .replace(/-/g, '+')
       .replace(/_/g, '/')
       .padEnd(Math.ceil(base64Url.length / 4) * 4, '=');
     const binary = atob(base64);
-    const bytes = Uint8Array.from(binary, char => char.charCodeAt(0));
-    return new TextDecoder().decode(bytes);
+    return Uint8Array.from(binary, char => char.charCodeAt(0));
   }
 
-  private async fetchBundleFromShl(manifestUrl: string): Promise<any> {
+  private async fetchBundleFromShl(manifestUrl: string, shlKey?: string): Promise<any> {
     const manifestResponse = await fetch(manifestUrl);
     if (!manifestResponse.ok) {
       throw new Error(`Unable to download SHL manifest (${manifestResponse.status}).`);
@@ -1390,7 +1397,84 @@ export class InteroperabilityComponent implements OnInit, OnDestroy {
       throw new Error(`Unable to download SHL file (${resourceResponse.status}).`);
     }
 
-    return resourceResponse.json();
+    const resourceText = await resourceResponse.text();
+    const trimmedContent = resourceText.trim();
+
+    if (this.isCompactJwe(trimmedContent)) {
+      if (!shlKey) {
+        throw new Error('SHL payload does not include a decryption key for JWE content.');
+      }
+      const decryptedPayload = await this.decryptCompactJwe(trimmedContent, shlKey);
+      return JSON.parse(decryptedPayload);
+    }
+
+    return JSON.parse(resourceText);
+  }
+
+  private isCompactJwe(content: string): boolean {
+    const parts = content.split('.');
+    return parts.length === 5 && parts[0].length > 0;
+  }
+
+  private async decryptCompactJwe(compactJwe: string, keyBase64Url: string): Promise<string> {
+    const parts = compactJwe.split('.');
+    if (parts.length !== 5) {
+      throw new Error('Invalid Compact JWE format.');
+    }
+
+    const [protectedHeaderB64, encryptedKeyB64, ivB64, ciphertextB64, tagB64] = parts;
+    if (encryptedKeyB64 !== '') {
+      throw new Error('Only direct encryption (alg=dir) is supported in this demo.');
+    }
+
+    const protectedHeaderText = this.decodeBase64UrlToText(protectedHeaderB64);
+    const protectedHeader = JSON.parse(protectedHeaderText);
+    if (protectedHeader.alg !== 'dir' || protectedHeader.enc !== 'A256GCM') {
+      throw new Error('Unsupported JWE algorithm. Expected alg=dir and enc=A256GCM.');
+    }
+
+    const keyBytes = this.decodeBase64UrlToBytes(keyBase64Url);
+    if (keyBytes.byteLength !== 32) {
+      throw new Error('Invalid SHL key length. Expected 32 bytes for A256GCM.');
+    }
+
+    const iv = this.decodeBase64UrlToBytes(ivB64);
+    const ciphertext = this.decodeBase64UrlToBytes(ciphertextB64);
+    const tag = this.decodeBase64UrlToBytes(tagB64);
+    const encryptedPayload = this.concatUint8Arrays(ciphertext, tag);
+    const aad = new TextEncoder().encode(protectedHeaderB64);
+
+    const cryptoKey = await crypto.subtle.importKey(
+      'raw',
+      this.toArrayBuffer(keyBytes),
+      { name: 'AES-GCM' },
+      false,
+      ['decrypt']
+    );
+
+    const decryptedBuffer = await crypto.subtle.decrypt(
+      {
+        name: 'AES-GCM',
+        iv: this.toArrayBuffer(iv),
+        additionalData: this.toArrayBuffer(aad),
+        tagLength: 128
+      },
+      cryptoKey,
+      this.toArrayBuffer(encryptedPayload)
+    );
+
+    return new TextDecoder().decode(new Uint8Array(decryptedBuffer));
+  }
+
+  private concatUint8Arrays(first: Uint8Array, second: Uint8Array): Uint8Array {
+    const combined = new Uint8Array(first.length + second.length);
+    combined.set(first, 0);
+    combined.set(second, first.length);
+    return combined;
+  }
+
+  private toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
   }
 
   private validateIPSBundleOrThrow(bundle: any): void {

src/app/benefits-demo/smart-health-links/smart-health-links.component.ts

@@ -27,7 +27,8 @@ export class SmartHealthLinksComponent implements OnInit {
         'ips-example-active-penicillin',
         'IPS Example Active Penicillin',
         'assets/data/ips-example-active-penicillin.json',
-        'assets/shl/ips-example-active-penicillin/manifest.json'
+        'assets/shl/ips-example-active-penicillin/manifest.json',
+        'RfauHCPL59FysuVS0nmEpawm_VhF4z1P8Z-w_gtZqII'
       )
     ];
   }
@@ -78,11 +79,17 @@ export class SmartHealthLinksComponent implements OnInit {
     }
   }
 
-  private buildLinkItem(id: string, label: string, sourceFile: string, manifestPath: string): SmartHealthLinkItem {
+  private buildLinkItem(
+    id: string,
+    label: string,
+    sourceFile: string,
+    manifestPath: string,
+    key: string
+  ): SmartHealthLinkItem {
     const manifestUrl = this.getAbsoluteUrl(manifestPath);
     const payload = {
       url: manifestUrl,
-      key: this.generateDemoKey(),
+      key,
       label
     };
 
@@ -111,19 +118,6 @@ export class SmartHealthLinksComponent implements OnInit {
     return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
   }
 
-  private generateDemoKey(): string {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-
-    let binary = '';
-    bytes.forEach(byte => {
-      binary += String.fromCharCode(byte);
-    });
-
-    const base64 = btoa(binary);
-    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
-  }
-
   private downloadBlobUrl(blobUrl: string, fileName: string): void {
     const anchor = document.createElement('a');
     anchor.href = blobUrl;

src/assets/shl/ips-example-active-penicillin/demo-link-metadata.json

@@ -0,0 +1,9 @@
+{
+  "id": "ips-example-active-penicillin",
+  "label": "IPS Example Active Penicillin",
+  "sourceFile": "assets/data/ips-example-active-penicillin.json",
+  "manifestFile": "assets/shl/ips-example-active-penicillin/manifest.json",
+  "key": "RfauHCPL59FysuVS0nmEpawm_VhF4z1P8Z-w_gtZqII",
+  "alg": "dir",
+  "enc": "A256GCM"
+}

src/assets/shl/ips-example-active-penicillin/ips-example-active-penicillin.jwe

@@ -5,7 +5,7 @@
   "files": [
     {
       "contentType": "application/fhir+json",
-      "location": "../../data/ips-example-active-penicillin.json"
+      "location": "./ips-example-active-penicillin.jwe"
     }
   ]
 }