How to incorporate the jsrasign library in Mirth Connect?

[Coooz]

Hi,

Since in my Mirth Connect channel I need both to perform RSA encryption and read a private key from a certificate, it would be great if I was able to incorporate the jsrasign library (https://kjur.github.io/jsrsasign/), since it contains the functionality to do both. It should work since the javascript version of the library is ECMAScript 3.

But how do I go about it so that it actually works? I've tried - and that may not be the best approach - to copy the the contents of the file jsrsasign-all-min.js in the channel's Deploy script, which gave me an error upon deploying, "ReferenceError: 'navigator' is not defined." How do I know which files to use and where do I place them? I'm using Mirth Connect 4.3.0. Any helpful suggestions will be much appreciated!

[jonbartels]

A few things:

1. Try searching the forums. Use Google and site:forums.mirthproject.io jsrassign or search this GitHub project for jsrassign. jsrassign seems common enough that someone else might have used it and shared an example
2. Running custom code in Mirth is typically done using Java not Javascript. Adding JARs to a resource directory then makes those classes available in Java
3. RSA crypto is common enough that it might be supported in Mirth already by core Java classes. The same search patterns might turn up examples for how to RSA encrypt data in Mirth using Java.

[pacmano1]

How about posting your code?

[pacmano1]

This is sort of a confusing ask though - I would expect encryption to be done with the recipients public key - assuming you are sending something downstream. For that matter if I was storing stuff to a db I would use my own pulbic key.

If you are digittally signing something, that would be with the private key.

[Coooz]

Hi @pacmano1,
"How about posting your code?" Good idea. First, some background on what I am trying to establish can be found here: https://fhir.epic.com/Documentation?docId=oauth2&section=JsonWebTokens (and in particular the section Creating a JWT) and why I would need a JSON Web Token can be read in the chapter before that (https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2Guide).

I use a channel's Destination Transformer to create a JWT, and what I've come up with so far is the following:

//prepare encryption: get a key pair
var keyGen = java.security.KeyPairGenerator.getInstance("RSA")
keyGen.initialize(2048);
var keys = keyGen.generateKeyPair();
var public_key = keys.getPublic();
var private_key = keys.getPrivate();

//header and payload
var jwt_header = {
	'alg': 'RS384', 
	'typ': 'JWT', 
	'kid': public_key
	};
var jwt_payload = {
	'iss': configurationMap.get('FHIR_client_id'), //bd1ad72d-e871-49b9-a791-99c6650614cf
	'sub': configurationMap.get('FHIR_client_id'), //bd1ad72d-e871-49b9-a791-99c6650614cf
	'aud': configurationMap.get('FHIR_server_auth_url'), //https://info.fhir.accept.prod/interconnect-fhir-oauth2/token (bogus url)
	'jti': UUIDGenerator.getUUID(),
	'exp': Math.floor(Date.now() / 1000) + 270 //270 seconds is 4 1/2 minutes
};

//create jwt
var headerString = JSON.stringify(jwt_header);
var payloadString = JSON.stringify(jwt_payload);
var signature = encrypt(base64UrlEncode(headerString) + '.' + base64UrlEncode(payloadString), private_key);
var full_jwt = base64UrlEncode(headerString) + '.' + base64UrlEncode(payloadString) + '.' + base64UrlEncode(signature);
channelMap.put('jwt', full_jwt);


function encrypt(encrypt_this, key) {
	var cipher = javax.crypto.Cipher.getInstance("RSA");
	cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, key);
	var encrypt_this_byteArray = stringToByteArray(encrypt_this);
	var encrypted = cipher.doFinal(encrypt_this_byteArray); //javax.crypto.IllegalBlockSizeException: Data must not be longer than 245 bytes
	return byteArrayToString(encrypted); 
}


function byteArrayToString(byteArray) {
	var str = '';
	for (var i = 0; i < byteArray.length; i++) {
	    str += String.fromCharCode(byteArray[i]);
	}
	return str;
}


function stringToByteArray(str) {
	var byteArray = [];
	for (var i = 0; i < str.length; i++) {
	    byteArray.push(str.charCodeAt(i));
	}
	return byteArray;
}

base64UrlEncode() is a function in a code template that returns a base64 encoded string in which in addition all instances of '=' are replaced by '', all instances of '/' by '_', and all instances of '+' by '-'.
The private and public key are generated here which is not according to the documentation I referred to - that's another matter and not relevant for now. I hope this helps in what I can do to avoid or overcome the IllegalBlockSizeException.

[pacmano1]

https://github.com/pacmano1/Mirth-Snippets/blob/main/epicJWTusingNimbusJava.js

Maybe when you post here, why don't you ask the question about the thing you are really doing?

https://github.com/pacmano1/Mirth-Snippets/blob/main/epicJWTforBackend.js is the jrs one but it is slooow. I use the top one for all JWTs.

Also, you don't create a pub/priv key every time. Not sure what you are doing in your code.

[pacmano1]

@Coooz you sorted out here? If yes, please mark a solution as an answer. I realize the topic sort of switched.

[Coooz]

Hi @pacmano1,
I had a day off yesterday, but I will look into your suggestion today and get back to you.

"Maybe when you post here, why don't you ask the question about the thing you are really doing?"
Yes, sounds fair. On the other hand I thought, why bother the readers of this post with all of that when the only thing I probably need to establish is RSA encryption? But it can be helpful, I see that now.

"Also, you don't create a pub/priv key every time. Not sure what you are doing in your code."
No, that's what I meant with "The private and public key are generated here which is not according to the documentation I referred to - that's another matter and not relevant for now."

[Coooz]

@pacmano1 Yes, this is exactly what I needed. Thank you so much!

[pacmano1]

Cool. Do remember to mark your other questions that have answers that worked for you please.