CEZIH osnova

3.4. Digitalni potpis

Kako bi se osigurala neporecivost određenih akcija ili određenih medicinskih informacija koje se spremaju u centralni repozitorij kliničkih dokumenata CEZIH sustava FHIR poruke i FHIR dokumenti se moraju potpisati digitalnim certifikatom koji se nalazi na pametnoj kartici krajnjeg korisnika koji je autor određenog kliničkog dokumenta ili koji je inicirao određenu akciju na CEZIH sustavu (npr. kreiranje novog slučaja ili izmjene podataka o slučaju na usluzi upravljanja slučajevima)

Za potpisivanje FHIR poruka odnosno FHIR dokumenata koristi se tzv Enveloped potpis budući da se potpisuje cijeli FHIR resurs Bundle koji definira FHIR poruku odnosno FHIR dokument, a da se sam digitalni potpis nalazi unutar elemena "signature" tog FHIR resursa.

Sam digitalni potpis mora biti izrađen sukladno specifikaciji JSON Web Signature (JWS) i JSON Canonicalization Scheme (JCS).

Budući da se sam potpis nalazi unutar FHIR resursa Bundle koji se potpisuje prilikom izrade i provjere potpisa element Bundle.signature.data mora biti izuzet

Sukladno JWS specifikaciji serializiran digitalni potpis se sastoji od 3 djela

JOSE zaglavlja
JWS payload
JWS signature

JOSE zaglavlje mora uključivati minimalno atribute alg, jwk i x5c i sve ostale atribute koji su obavezni sukladno JWS specifikaciji.

Algoritmi potpisa koji moraju biti podržani su RS256, RS384, RS512 no preporuća se korištenje algoritma RS512. Kako je definirano JWS specifikacijom u jwk parametru potrebno je slati javni ključ koji odgovara privatnom kljuću koji je korišten prilikom potpisivanja. Javni ključ mora biti u JSON Web Key (JWK) obliku.

U x5c atributu JOSE zaglavlja potrebno je slati digitalni certifikat krajnjeg korisnika čiji privatni kljuć je korišten za potpisivanje.

Budući da pametne kartice zdravstvenih djelatnika (PLave HZZO kartice) trenutno podržavaju isključiwo RSAwithSHA1 algoritam potpisivanja a da JWS standard ne podržava taj algoritam standard je proširen sa tim algortmom te je pri potpisivanju potrebno u JOSE zaglavlju specificirati taj algoritam (RS1)

Primjer JOSE zaglavlja

{
		"alg": "RS1",
		"jwk": {"kty":"RSA","e":"AQAB","kid":"2f275835-f510-4845-9809-3017de9e29b3","n":"zqyzjjC6Mu679TyTrokg1ifH8SsqyLNhpyn_ToyxLahJPPtyDcC-QwRuIzhLR2JbrMNVbWd3LjfPlXLaqHL23v9EOYSe8is-iKSsXW0CrsdiztNnY1ZczzUdN-4Ic7CQZxHYdI1IRumd5O1q0AjVOMpwPoZtvmvkqEnfhnoUOPo1hH5XY7rmTWEMg0JPZked2zljGKEIBt1gmRvwxuDwBKteycveUHDe7-fvH5TwdVoHEbNsHCRrO1RpmBd5TG1PrCXVB_wSiyBsxld7H6JYzE7ic8uGT98BLvZGE0qV9D0fR4z-XIow073ZOIa9v8aPu_2QIpbv6x0re5gPRTAnfw"},
		"x5c": "MIIDzTCCArWgAwIBAgIgG3OLb3wHLLbWYBwsCFQ01PINwjt6hwcqMunKkj2AJbswDQYJKoZIhvcNAQEFBQAwfjEPMA0GA1UEBhMGWmFncmViMQ4wDAYDVQQKDAVjZXppaDENMAsGA1UECwwEZmhpcjEWMBQGA1UEAwwNZmhpci5jZXppaC5ocjEcMBoGCSqGSIb3DQEJARYNaW5mb0BjZXppaC5ocjEWMBQGA1UEAwwNZmhpci5jZXppaC5ocjAeFw0yMjEwMDExNzIwMjNaFw0zMjEwMDExNzIwMjNaMGYxDzANBgNVBAYTBlphZ3JlYjEOMAwGA1UECgwFY2V6aWgxDTALBgNVBAsMBGZoaXIxFjAUBgNVBAMMDWZoaXIuY2V6aWguaHIxHDAaBgkqhkiG9w0BCQEWDWluZm9AY2V6aWguaHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOrLOOMLoy7rv1PJOuiSDWJ8fxKyrIs2GnKf9OjLEtqEk8+3INwL5DBG4jOEtHYlusw1VtZ3cuN8+Vctqocvbe/0Q5hJ7yKz6IpKxdbQKux2LO02djVlzPNR037ghzsJBnEdh0jUhG6Z3k7WrQCNU4ynA+hm2+a+SoSd+GehQ4+jWEfldjuuZNYQyDQk9mR53bOWMYoQgG3WCZG/DG4PAEq17Jy95QcN7v5+8flPB1WgcRs2wcJGs7VGmYF3lMbU+sJdUH/BKLIGzGV3sfoljMTuJzy4ZP3wEu9kYTSpX0PR9HjP5cijDTvdk4hr2/xo+7/ZAilu/rHSt7mA9FMCd/AgMBAAGjTzBNMB0GA1UdDgQWBBQ5y/FDWLdQ4Q6k0mQCPKMpDVddmzAfBgNVHSMEGDAWgBQ5y/FDWLdQ4Q6k0mQCPKMpDVddmzALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBABJ5ak725Gi/ED4Co+Cgm4iyhgdBpgWGvegUFXKzDBSQfbnAdhOGLwOfGTnHRdYrwQgC4w2fkude8VCM6JeEANDEUjyqVZjWsJqsX/3QP/a+4ku1q2JVfVq7Onmeq051m8NSKMFnMcwF+KVp+vE+UibFs/1DDiOtBOw3b5mEKHiU2re2AEaxKbotJubP6Vd6hnZunVZXDs+5qym6wLBX8+zTkNS+oFqLxGIpyhCEMrId7bhYQblpaWhRQe+e6U2SWkmzCmNkXMYy6PX9OdcczU9YouR4SwpbwahXYT1zWtWyKfdUO13WgMoydtftCLv7JGqcS2OqY9a302oDZOEeutM="
}

Sukladno JWS specifikaciji JWS paylod sadrži B64URL enkodirani kanonikalizirani oblik JSONa koji se potpisuje. Kako je objašnjeno ranije potpisuje se FHIR resurs bundle Dokumenta ili poruke.

Primjer

eyJyZXNvdXJjZVR5cGUiOiJCdW5kbGUiLCJpZCI6IjEwYmIxMDFmLWExMjEtNDI2NC1hOTIwLTY3YmU5Y2I4MmM3NCIsIm1ldGEiOnsidmVyc2lvbklkIjoiNSIsImxhc3RVcGRhdGVkIjoiMjAyMi0wOS0yN1QxNDozMjoxNi4xMzcrMDA6MDAiLCJzb3VyY2UiOiIjODdjMjlkNjczOWE1OGVhMyJ9LCJ0eXBlIjoibWVzc2FnZSIsInRpbWVzdGFtcCI6IjIwMjItMDctMTRUMTE6MTU6MzMrMDI6MDAiLCJlbnRyeSI6W3siZnVsbFVybCI6InVybjp1dWlkOjI2N2IxOGNlLTNkMzctNDU4MS05YmFhLTZmYWRhMzM4MDM4YiIsInJlc291cmNlIjp7InJlc291cmNlVHlwZSI6Ik1lc3NhZ2VIZWFkZXIiLCJldmVudENvZGluZyI6eyJzeXN0ZW0iOiJodHRwOi8vZW50LmhyL2ZoaXIvQ29kZVN5c3RlbS9laGUtbWVzc2FnZS10eXBlcyIsImNvZGUiOiIxLjEifSwic2VuZGVyIjp7InR5cGUiOiJPcmdhbml6YXRpb24iLCJpZGVudGlmaWVyIjp7InN5c3RlbSI6Imh0dHA6Ly9maGlyLmNlemloLmhyL2lkZW50aWZpa2F0b3JpL0haWk8tc2lmcmEtemRyYXZzdHZlbmUtb3JnYW5pemFjaWplIiwidmFsdWUiOiIxMjM0In19LCJhdXRob3IiOnsidHlwZSI6IlByYWN0aXRpb25lciIsImlkZW50aWZpZXIiOnsic3lzdGVtIjoiaHR0cDovL2ZoaXIuY2V6aWguaHIvaWRlbnRpZmlrYXRvcmkvSFpKWi1icm9qLXpkcmF2c3R2ZW5vZy1kamVsYXRuaWthIiwidmFsdWUiOiIxMjM0NTY3In19LCJzb3VyY2UiOnsiZW5kcG9pbnQiOiJ1cm46b2lkOjEuMi4zLjQuNS42In0sImZvY3VzIjpbeyJyZWZlcmVuY2UiOiJ1cm46dXVpZDoyNmNjZDg0NS1mN2M0LTRkZjUtOGIyNC0yNzNiODRkOWVlNDYifV19fSx7ImZ1bGxVcmwiOiJ1cm46dXVpZDoyNmNjZDg0NS1mN2M0LTRkZjUtOGIyNC0yNzNiODRkOWVlNDYiLCJyZXNvdXJjZSI6eyJyZXNvdXJjZVR5cGUiOiJFbmNvdW50ZXIiLCJleHRlbnNpb24iOlt7InVybCI6Imh0dHA6Ly9maGlyLmNlemloLmhyL3NwZWNpZmlrYWNpamUvU3RydWN0dXJlRGVmaW5pdGlvbi9oci10cm9za292aS1zdWRqZWxvdmFuamUiLCJleHRlbnNpb24iOlt7InVybCI6Im96bmFrYSIsInZhbHVlQ29kaW5nIjp7InN5c3RlbSI6Imh0dHA6Ly9maGlyLmNlemloLmhyL3NwZWNpZmlrYWNpamUvQ29kZVN5c3RlbS9zdWRqZWxvdmFuamUtdS10cm9za292aW1hIiwiY29kZSI6Ik4ifX0seyJ1cmwiOiJzaWZyYS1vc2xvYm9kamVuamEiLCJ2YWx1ZUNvZGluZyI6eyJzeXN0ZW0iOiJodHRwOi8vZmhpci5jZXppaC5oci9zcGVjaWZpa2FjaWplL0NvZGVTeXN0ZW0vc2lmcmEtb3Nsb2JvZGplbmphLW9kLXN1ZGplbG92YW5qYS11LXRyb3Nrb3ZpbWEiLCJjb2RlIjoiNTUifX1dfV0sInN0YXR1cyI6ImluLXByb2dyZXNzIiwiY2xhc3MiOnsic3lzdGVtIjoiaHR0cDovL2ZoaXIuY2V6aWguaHIvc3BlY2lmaWthY2lqZS9Db2RlU3lzdGVtL25hY2luLXByaWplbWEiLCJjb2RlIjoiOSIsImRpc3BsYXkiOiJJbnRlcm5hdXB1dG5pY2EifSwic3ViamVjdCI6eyJ0eXBlIjoiUGF0aWVudCIsImlkZW50aWZpZXIiOnsic3lzdGVtIjoiaHR0cDovL2ZoaXIuY2V6aWguaHIvaWRlbnRpZmlrYXRvcmkvTUJPIiwidmFsdWUiOiIxODAyMjMwNjk4NiJ9fSwicGFydGljaXBhbnQiOlt7ImluZGl2aWR1YWwiOnsidHlwZSI6IlByYWN0aXRpb25lciIsImlkZW50aWZpZXIiOnsic3lzdGVtIjoiaHR0cDovL2ZoaXIuY2V6aWguaHIvaWRlbnRpZmlrYXRvcmkvSFpKWi1icm9qLXpkcmF2c3R2ZW5vZy1kamVsYXRuaWthIiwidmFsdWUiOiIxMjM0NTY3In19fV0sInBlcmlvZCI6eyJzdGFydCI6IjIwMjItMDEtMjBUMTI6MzA6MDJaIn0sInNlcnZpY2VQcm92aWRlciI6eyJ0eXBlIjoiT3JnYW5pemF0aW9uIiwiaWRlbnRpZmllciI6eyJzeXN0ZW0iOiJodHRwOi8vZmhpci5jZXppaC5oci9pZGVudGlmaWthdG9yaS9IWlpPLXNpZnJhLXpkcmF2c3R2ZW5lLW9yZ2FuaXphY2lqZSIsInZhbHVlIjoiMTIzNCJ9fX19XSwic2lnbmF0dXJlIjp7InR5cGUiOlt7InN5c3RlbSI6InVybjppc28tYXN0bTpFMTc2Mi05NToyMDEzIiwiY29kZSI6IjEuMi44NDAuMTAwNjUuMS4xMi4xLjEifV0sIndoZW4iOiIyMDIyLTA3LTE0VDExOjE1OjM0KzAyOjAwIiwid2hvIjp7InR5cGUiOiJQcmFjdGl0aW9uZXIiLCJpZGVudGlmaWVyIjp7InN5c3RlbSI6Imh0dHA6Ly9maGlyLmNlemloLmhyL2lkZW50aWZpa2F0b3JpL0haSlotYnJvai16ZHJhdnN0dmVub2ctZGplbGF0bmlrYSIsInZhbHVlIjoiMTIzNDU2NyJ9fSwiZGF0YSI6IiJ9fQ