FHIR Chat · Public key · smart/health-cards

Stream: smart/health-cards

Topic: Public key

Stephen Whitney (May 04 2021 at 00:37):

We're leveraging AWS KMS to create the necessary asymmetric key in order to sign the smart card. How can I go from this:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVo94oTHAMQIFSajYapXtx7WzuoY7
8WHnDPtREwrTbT3BIRK6vKUdFIq+FRiyrHtaYnOgoba7yLrT3aWggXIggw==
-----END PUBLIC KEY-----

to this format:

{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"kid": "1234",
"x": "oBUyo8CQAFPeYPvv78ylh5MwFZjTCLQeb042TjiMJxE=",
"y": "vvQyxZkUjJQUPU/0bCy3Pj5qQdfu8jwEfqEeYGZ95CU=",
"alg": "ES256"
}

Also, is it possible to generate the sha256 _public_ key fingerprint or would I need the private key to do so?

Thanks

Notification Bot (May 04 2021 at 00:55):

This topic was moved here from #smart > Public key by Josh Mandel

Stephen Whitney (May 04 2021 at 00:56):

thanks @Josh Mandel

Josh Mandel (May 04 2021 at 00:56):

The sha256 thumbprint can be calculated from the public JWK alone. To get a JWK the keywords you want are: "convert from PEM to JWK".

Josh Mandel (May 04 2021 at 00:58):

Depending on your language of choice, https://www.jvt.me/posts/2019/01/10/x509-pkcs8-pem-key-to-jwks-node/ may be a helpful tutorial

Stephen Whitney (May 04 2021 at 01:25):

Sweet! Output:
{
"keys": [
{
"kty": "EC",
"kid": "HEEpaVqRJ8y4OCE7BKnqEPo-eCz44JpF_quM609TRDw",
"crv": "P-256",
"x": "Tg3UZ-kOp8kZV_okaO_MaEGzLfPykGoKTvCW-3hZT2A",
"y": "PconlrnIFK6Jh_cA1ejeaQ5AuQ4rDAJ-KiZY4TX7vdE"
}
]
}

Is this sufficient to add to .well-known/jwks.json?

Thanks again @Josh Mandel

Josh Mandel (May 04 2021 at 01:55):

Looks pretty good, though it's missing alg and use -- the validation SDK at https://smarthealth.cards/#what-testing-tools-are-available-to-validate-smart-health-cards-implementations will review this for you in detail.

Christian Paquin (May 04 2021 at 13:24):

Stephen Whitney said:

Also, is it possible to generate the sha256 _public_ key fingerprint or would I need the private key to do so?

The key fingerprint kid only depends on the fields crv, kty, x, and y (see section 3.2 of RFC7638), so you can generate this from the public key. What platform/ language are you using for development? There should be a library handy to convert a PEM-formatted key into a JWK, and also calculate the kid.

Stephen Whitney (May 04 2021 at 14:36):

Christian Paquin said:

The key fingerprint `kid` only depends on the fields `crv`, `kty`, `x`, and `y` (see [section 3.2 of RFC7638](https://tools.ietf.org/html/rfc7638#section-3.2)), so you can generate this from the public key.  What platform/ language are you using for development? There should be a library handy to convert a PEM-formatted key into a JWK, and also calculate the `kid`.

Thanks @Christian Paquin. We're using python as our development language. I'm not sure python-jose or pyjwt will convert PEM-formatted key into a JWK so I used Node as mentioned by Josh to generate the JWK outside of our codebase.

Josh Mandel (May 04 2021 at 14:44):

@James Kizer or @Alan Viars may be able to point to some reference code in python as well. We should create a wiki page with links to these kinds of reference examples, because I think people find them pretty helpful.

Alan Viars (May 04 2021 at 16:23):

Josh Mandel said:

James Kizer or Alan Viars may be able to point to some reference code in python as well. We should create a wiki page with links to these kinds of reference examples, because I think people find them pretty helpful.

Here is my fork of James' code: https://github.com/TransparentHealth/healthcards_python_sample_scripts The only changes I made were: 1. to make this pip installable, 2.make scripts get installed as scripts, 3.) to make shc a package module for easy import. I see I should update the README too. To install with pip just type "pip install shc". The code in each files "def main():" should provide adequate examples for use. I made the pip/package so I could do a simple import into my Django-based implementation.

Paul Denning (May 04 2021 at 17:02):