Upgrade SHL server to support VHL

Grahame Grieve · Grahame Grieve · commit 60e2fb869baa · 2025-06-06T06:29:24.000+02:00
diff --git a/library/web/fsl_crypto.pas b/library/web/fsl_crypto.pas
@@ -284,13 +284,14 @@   TJWTUtils = class (TFslObject)
     class function loadRSAPublicKey(contents : TBytes) : PRSA; overload;
     class function loadDSAPublicKey(pemfile, pempassword : AnsiString) : PDSA;
 
-    class function Sign_Hmac_SHA256(input : TBytes; key: TJWK) : TBytes;
-    class function Sign_Hmac_RSA256(input : TBytes; key: TJWK) : TBytes; overload;
-    class function Sign_ES256(input : TBytes; key: TJWK) : TBytes; overload;
     class function checks(method: TJWTAlgorithm; key : TJWK): String;
 
   public
     class function Sign_Hmac_RSA256(input : TBytes; pemfile, pempassword : String) : TBytes; overload;
+    class function Sign_Hmac_SHA256(input : TBytes; key: TJWK) : TBytes;
+    class function Sign_Hmac_RSA256(input : TBytes; key: TJWK) : TBytes; overload;
+    class function Sign_ES256(input : TBytes; key: TJWK) : TBytes; overload;
+    class function Sign_ES512(input : TBytes; key: TJWK) : TBytes; overload;
 
     // general use: pack a JWT using the key speciifed. No key needed if method = none
     class function encodeJWT(jwt : TJWT; method : TJWTAlgorithm; key : TJWK; zip : String = '') : String; overload;
@@ -1574,6 +1575,63 @@ class function TJWTUtils.Sign_ES256(input: TBytes; key: TJWK): TBytes;
   end;
 end;
 
+class function TJWTUtils.Sign_ES512(input: TBytes; key: TJWK): TBytes;
+var
+  ctx : PEVP_MD_CTX;
+  keysize : integer;
+  len, l : QWord;
+  p : System.PByte;
+  pkey: PEVP_PKEY;
+  PkeyCtx: PEVP_PKEY_CTX;
+  rkey: PEC_KEY;
+  keys : TJWKList;
+  keytype : integer;
+  {$IFDEF ALT}
+  Signature: array [0..8000] of byte;
+  {$ENDIF}
+begin
+  check(key <> nil, 'A key must be provided for ES256');
+  len := 0;
+  p := @input[0];
+  l := length(input);
+  {$IFDEF ALT}
+  for keysize := 0 to 8000 do
+    Signature[keysize] := 0;
+  {$ENDIF}
+
+  // 1. Load the RSA private Key from FKey
+  rkey := key.LoadEC(true);
+  try
+    pkey := EVP_PKEY_new;
+    try
+      check(EVP_PKEY_set1_EC_KEY(pkey, rkey) = 1, 'openSSL EVP_PKEY_set1_RSA failed');
+
+      // 2. do the signing
+      keysize := EVP_PKEY_size(pkey);
+      len := keysize;
+      SetLength(result, keysize);
+      ctx := EVP_MD_CTX_new;
+      try
+        check(EVP_DigestSignInit(ctx, @PkeyCtx, EVP_sha512, nil, pKey) = 1, 'openSSL EVP_DigestInit_ex failed');
+  {$IFNDEF ALT}
+        check(EVP_DigestUpdate(ctx, p, l) = 1, 'openSSL EVP_DigestUpdate failed');
+        check(EVP_DigestSignFinal(ctx, @result[0], @len) = 1, 'openSSL EVP_DigestSignFinal failed');
+  {$ELSE}
+        check(EVP_DigestSign(ctx, @result[0], @len, p, l) = 1, 'openSSL EVP_DigestSign failed');
+  {$ENDIF}
+        SetLength(result, len);
+      finally
+        EVP_MD_CTX_free(ctx);
+      end;
+      result := DERTobase(result);
+    finally
+      EVP_PKEY_free(pKey);
+    end;
+  finally
+    EC_KEY_free(rkey);
+  end;
+end;
+
 class function TJWTUtils.Sign_Hmac_RSA256(input: TBytes; pemfile, pempassword: String): TBytes;
 begin
   result := nil;
diff --git a/server/endpoint_shl.pas b/server/endpoint_shl.pas
@@ -47,7 +47,8 @@ interface
   { TSHLWebServer }
   TSHLWebServer = class (TFhirWebServerEndpoint)
   private
-    FPassword : String;
+    FPassword : String; 
+    FVhlKey : TJWK;
     FDB : TFDBManager;
     procedure SetDB(AValue: TFDBManager);
     function processCreate(request: TIdHTTPRequestInfo; response: TIdHTTPResponseInfo; c : TFDBConnection) : String;
@@ -74,6 +75,7 @@   TSHLWebEndPoint = class (TFHIRServerEndPoint)
   private
     FSHLServer : TSHLWebServer;
     FPassword : String;
+    FVhlKey : TJsonObject;
     procedure checkDatabase;
   public
     constructor Create(config : TFHIRServerConfigSection; settings : TFHIRServerSettings; i18n : TI18nSupport; db : TFDBManager);
@@ -101,10 +103,12 @@ function TSHLWebServer.processCreate(request: TIdHTTPRequestInfo; response: TIdH
   req, resp : TJsonObject;
   exp : TDateTime;
   days : integer;
+  vhl : boolean;
 begin
   result := 'Create SHL context';
   req := TJsonParser.parse(request.PostStream);
   try
+    vhl := req.bool['vhl'];
     if (req.str['password'] = FPassword) then
     begin
       days := req.int['days'];
@@ -116,12 +120,13 @@ function TSHLWebServer.processCreate(request: TIdHTTPRequestInfo; response: TIdH
         resp.str['pword'] := NewGuidId;
         resp.str['link'] := 'https://'+common.host+PathWithSlash+resp.str['uuid'];
 
-        c.SQL := 'Insert into SHL (uuid, pword, expiry, mimetype) values (:u, :p, :e, :m)';
+        c.SQL := 'Insert into SHL (uuid, pword, expiry, mimetype, vhl) values (:u, :p, :e, :m, :v)';
         c.prepare;
         c.BindString('u', resp.str['uuid']);
         c.BindString('p', resp.str['pword']);
         c.BindTimeStamp('e', DateTimeToTS(exp));  
         c.BindString('m', req.str['mimetype']);
+        c.BindIntegerFromBoolean('v', vhl);
         c.execute;
         c.terminate;
         response.ResponseNo := 200;
@@ -146,41 +151,61 @@ function TSHLWebServer.processCreate(request: TIdHTTPRequestInfo; response: TIdH
 function TSHLWebServer.processUpload(request: TIdHTTPRequestInfo; response: TIdHTTPResponseInfo; c : TFDBConnection): String;
 var
   p : THTTPParameters;
-  bytes : TBytes;
+  bytes, hcert : TBytes;
+  req, resp : TJsonObject;
 begin
   result := 'upload SHL content';
   p := THTTPParameters.create(request.QueryParams, true);
   try
-    bytes := StreamToBytes(request.PostStream);
-    if (p.has('uuid') and p.has('pword')) then
-    begin
-      c.sql := 'select pword from SHL where uuid = '''+SQLWrapString(p['uuid'])+'''';
-      c.Prepare;
-      c.Execute;
-      if not c.FetchNext then
-        raise ERestfulException.create('processCreate', 404, itSecurity, 'uuid  "'+p['uuid']+'" not found', nil);
-      if p['pword'] <> c.ColStringByName['pword'] then
-        raise ERestfulException.create('processCreate', 404, itSecurity, 'password failure', nil);
-      c.terminate;
-      c.SQL := 'update SHL set blob = :b where uuid = '''+SQLWrapString(p['uuid'])+'''';
-      c.prepare;
-      c.BindBlob('b', bytes);
-      c.Execute;
-      c.terminate;
-      response.ResponseNo := 200;
-      response.ResponseText := 'OK';
-      response.ContentText := '{ "msg": "OK" }';
-    end
-    else
-      raise ERestfulException.create('processCreate', 404, itSecurity, 'uuid and/or pword not found', nil);
+    req := TJSONParser.Parse(request.PostStream);
+    try
+      bytes := DecodeBase64(req.str['cnt']);
+      hcert := DecodeBase64(req.str['hcert']);
+      if (p.has('uuid') and p.has('pword')) then
+      begin
+        c.sql := 'select pword from SHL where uuid = '''+SQLWrapString(p['uuid'])+'''';
+        c.Prepare;
+        c.Execute;
+        if not c.FetchNext then
+          raise ERestfulException.create('processCreate', 404, itSecurity, 'uuid  "'+p['uuid']+'" not found', nil);
+        if p['pword'] <> c.ColStringByName['pword'] then
+          raise ERestfulException.create('processCreate', 404, itSecurity, 'password failure', nil);
+        c.terminate;
+        c.SQL := 'update SHL set blob = :b where uuid = '''+SQLWrapString(p['uuid'])+'''';
+        c.prepare;
+        c.BindBlob('b', bytes);
+        c.Execute;
+        c.terminate;
+        response.ResponseNo := 200;
+        response.ResponseText := 'OK';
+        if hcert <> nil then
+        begin
+          resp := TJsonObject.create;
+          try
+            bytes := TJWTUtils.Sign_ES256(hcert, FVhlKey);
+            resp['signature'] := EncodeBase64(bytes);
+            resp['kid'] := FVhlKey.id;
+            response.ContentText := TJSONWriter.writeObjectStr(resp, true);
+          finally
+            resp.free;
+          end;
+        end
+        else
+          response.ContentText := '{ "msg": "OK" }';
+      end
+      else
+        raise ERestfulException.create('processCreate', 404, itSecurity, 'uuid and/or pword not found', nil);
+    finally
+      req.free;
+    end;
   finally
     p.free;
   end;
 end;
 
 function TSHLWebServer.processManifest(request: TIdHTTPRequestInfo; response: TIdHTTPResponseInfo; c: TFDBConnection): String;
 var
-  req, resp, f : TJsonObject;
+  req, resp, f, l, r, m, cnt : TJsonObject;
   uuid, b64 : String;
 begin
   uuid := request.Document.subString(PathWithSlash.length);
@@ -192,28 +217,49 @@ function TSHLWebServer.processManifest(request: TIdHTTPRequestInfo; response: TI
       c.prepare;
       c.BindString('u', uuid);
       c.execute;
-      if c.FetchNext then
+      if not c.FetchNext then 
+      begin
+        response.ResponseNo := 404;
+        response.ResponseText:= 'Not Found';
+        response.ContentText := 'SHL Not Found';
+      end
+      else if c.ColIntegerByName['vhl'] = 1 then
       begin
         f := resp.forceArr['files'].addObject;
         f.str['contentType'] := c.GetColStringByName('mimetype');
         f.str['location'] := 'https://'+common.host+PathWithSlash+'data/'+uuid;
-        b64 := c.GetColStringByName('blob'); // it's already base64 encoded
-            // EncodeBase64(c.GetColBlobByName('blob'));
+        b64 := c.GetColStringByName('blob');
         if (not req.has('embeddedLengthMax')) or (b64.Length < req.int['embeddedLengthMax']) then
           f.str['embedded'] := b64;
         response.ResponseNo := 200;
         response.ResponseText:= 'OK';                                 
         response.ContentText := TJSONWriter.writeObjectStr(resp, true);
         response.ContentType := 'application/json';
-        c.Terminate;
       end
       else
       begin
-        c.Terminate;
-        response.ResponseNo := 404;
-        response.ResponseText:= 'Not Found';
-        response.ContentText := 'SHL Not Found';
+        resp['resourceType'] := 'Bundle';
+        resp['type'] := 'searchSet';
+        l := resp.forceArr['link'].addObject;
+        l['relation'] := 'self';
+        l['url'] := 'https://'+common.host+request.URI;
+        f := resp.forceArr['entry'].addObject;
+        f['fullUrl'] := 'https://'+common.host+PathWithSlash+'DocumentReference/'+uuid;
+        r := f.forceObj['resource'];
+        r['resourceType'] := 'DocumentReference';
+        r['id'] := uuid;                          
+        m := r.forceObj['masterIdentifier'];
+        m['system'] := 'urn:ietf:rfc:3986';
+        m['value'] := f['fullUrl'];
+        cnt := r.forceArr['content'].addObject;
+        cnt['url'] := 'https://'+common.host+PathWithSlash+'data/'+uuid;
+        cnt['contentType'] := c.GetColStringByName('mimetype');
+        response.ResponseNo := 200;
+        response.ResponseText:= 'OK';
+        response.ContentText := TJSONWriter.writeObjectStr(resp, true);
+        response.ContentType := 'application/json';
       end;
+      c.Terminate;
     finally
       resp.free;
     end;
@@ -272,6 +318,7 @@ constructor TSHLWebServer.Create(code, path: String; common: TFHIRWebServerCommo
 destructor TSHLWebServer.Destroy;
 begin
   FDB.Free;
+  FVhlKey.free;
   inherited Destroy;
 end;
 
@@ -353,6 +400,7 @@ procedure TSHLWebEndPoint.checkDatabase;
                ' pword nchar(40) '+ColCanBeNull(c.owner.platform, False)+', '+
                ' mimetype nchar(60) '+ColCanBeNull(c.owner.platform, False)+', '+
                ' expiry '+DBDateTimeType(c.owner.platform)+' '+ColCanBeNull(c.owner.platform, False)+', '+
+               ' vhl int '+ColCanBeNull(c.owner.platform, true)+', '+
                ' blob '+DBBlobType(c.owner.platform)+' '+ColCanBeNull(c.owner.platform, true)+') '+
                CreateTableInfo(c.owner.platform));
           c.ExecSQL('Create INDEX SK_SHL_UUID ON SHL (uuid)');
@@ -369,10 +417,28 @@ procedure TSHLWebEndPoint.checkDatabase;
       end
       else
       begin
+        t := m.GetTable('SHL');
+        if not t.hasColumn('vhl') then
+        begin
+          c.StartTransact;
+          try
+            c.ExecSQL('ALTER TABLE SHL ADD vhl int '+ColCanBeNull(c.owner.platform, true));
+            c.Commit;
+          except
+            on e:exception do
+            begin
+              Logging.log(e.message);
+              c.Rollback;
+              recordStack(e);
+              raise;
+            end;
+          end;
+        end;
       end;
     finally
       m.free;
     end;
+    FVhlKey := TJSONParser.Parse(c.Lookup('Config', 'ConfigKey', 'jwk', 'Value', '{}'));
     c.Release;
   except
     on e: Exception do
@@ -389,6 +455,7 @@ constructor TSHLWebEndPoint.Create(config: TFHIRServerConfigSection; settings: T
 
 destructor TSHLWebEndPoint.Destroy;
 begin
+  FVhlKey.free;
   inherited Destroy;
 end;
 
@@ -403,6 +470,7 @@ function TSHLWebEndPoint.makeWebEndPoint(common: TFHIRWebServerCommon): TFhirWeb
   FSHLServer := TSHLWebServer.Create(config.name, config['path'].value, common);
   FSHLServer.DB := Database.Link;
   FSHLServer.FPassword := FPassword;
+  FSHLServer.FVhlKey := TJWK.create(FVhlKey.link);
   WebEndPoint := FSHLServer;
   result := FSHLServer.link;
 end;
