Canonical Resource Management Infrastructure Implementation Guide
2.0.0-ballot - STU 2 - Ballot International flag

This page is part of the Canonical Resource Management Infrastructure Implementation Guide (v2.0.0-ballot: STU 2 Ballot) based on FHIR (HL7® FHIR® Standard) R4. This version is a pre-release. The current official version is 1.0.0. For a full list of available versions, see the Directory of published versions

Library: ExampleSignatureLibrary

Official URL: http://hl7.org/fhir/uv/crmi/Library/ExampleSignatureLibrary Version: 2.0.0-ballot
Standards status: Informative Computable Name:
Other Identifiers: OID:2.16.840.1.113883.4.642.40.38.28.13

This example now demonstrates how to properly attach an artifact signature to a FHIR Library resource using the CRMI signature extension.

The generated SHA256 checksum of the current resource (which excludes id, text, and meta), in minified JSON form is:

892c98e8660c3b84f88cffc4759880ea6f73afa9f58a5ee5dd2f8b7c48250dca

The signature data value after base64 decoding is a JWT:

eyJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDozMDAwL29pZGMiLCJoYXNoIjoiODkyYzk4ZTg2NjBjM2I4NGY4OGNmZmM0NzU5ODgwZWE2ZjczYWZhOWY1OGE1ZWU1ZGQyZjhiN2M0ODI1MGRjYSJ9.T581_ZkQee7RnJpePnApDIgWtHCO6GUFltHF3riM0wEEAMuVK8X63OrBZpRMCFZWwJ9_RQk3Jo9q4Tyu5WxnZaFxyH0cDCs21gFuCtUanRf4jep2ZfShjVjmm90AGyAzz6EeTodpWyNL48Js__ZSmK8HahkFos5DWZdi93BZalOPvR-pAnzKgxyrrkdmLFZBjKC6drzqhfTyTY0P2yLZV0x6X3btvkdcci8_tqKDl8xz84Gut4iHr0fivP7CbzBoIO6Dlw1gScFWaE9ATRDvkTnSYu3JVptMZo4xgKhrL3ZQktrQZm1CIQ8tnMn5hCdT7W-DysejxxH9t128FYBA1Q

The decoded JWT payload contains the following fields:

  • iss: The issuer of the signature, which is the CRMI server URL.
  • hash: The SHA256 checksum of the resource in minified JSON form. 
    {
"iss": "https://localhost:3000/oidc",
"hash": "892c98e8660c3b84f88cffc4759880ea6f73afa9f58a5ee5dd2f8b7c48250dca"
}

The signature is created using the private key of the CRMI server, ensuring the integrity and authenticity of the resource. Clients can verify JWT signature using the public key provided by the CRMI server, and then verify the SHA256 checksum against the resource's content to ensure it has not been altered.

Id: ExampleSignatureLibrary
Version: 2.0.0-ballot
Url: ExampleSignatureLibrary

urn:oid:2.16.840.1.113883.4.642.40.38.28.13

Type:

system: http://terminology.hl7.org/CodeSystem/library-type

code: logic-library

Date: 2025-08-01 18:39:13+0000
Publisher: HL7 International / Clinical Decision Support
Description:

This example now demonstrates how to properly attach an artifact signature to a FHIR Library resource using the CRMI signature extension.

The generated SHA256 checksum of the current resource (which excludes id, text, and meta), in minified JSON form is:

892c98e8660c3b84f88cffc4759880ea6f73afa9f58a5ee5dd2f8b7c48250dca

The signature data value after base64 decoding is a JWT:

eyJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDozMDAwL29pZGMiLCJoYXNoIjoiODkyYzk4ZTg2NjBjM2I4NGY4OGNmZmM0NzU5ODgwZWE2ZjczYWZhOWY1OGE1ZWU1ZGQyZjhiN2M0ODI1MGRjYSJ9.T581_ZkQee7RnJpePnApDIgWtHCO6GUFltHF3riM0wEEAMuVK8X63OrBZpRMCFZWwJ9_RQk3Jo9q4Tyu5WxnZaFxyH0cDCs21gFuCtUanRf4jep2ZfShjVjmm90AGyAzz6EeTodpWyNL48Js__ZSmK8HahkFos5DWZdi93BZalOPvR-pAnzKgxyrrkdmLFZBjKC6drzqhfTyTY0P2yLZV0x6X3btvkdcci8_tqKDl8xz84Gut4iHr0fivP7CbzBoIO6Dlw1gScFWaE9ATRDvkTnSYu3JVptMZo4xgKhrL3ZQktrQZm1CIQ8tnMn5hCdT7W-DysejxxH9t128FYBA1Q

The decoded JWT payload contains the following fields:

  • iss: The issuer of the signature, which is the CRMI server URL.
  • hash: The SHA256 checksum of the resource in minified JSON form.
{
  "iss": "https://localhost:3000/oidc",
  "hash": "892c98e8660c3b84f88cffc4759880ea6f73afa9f58a5ee5dd2f8b7c48250dca"
}

The signature is created using the private key of the CRMI server, ensuring the integrity and authenticity of the resource. Clients can verify JWT signature using the public key provided by the CRMI server, and then verify the SHA256 checksum against the resource's content to ensure it has not been altered.
Jurisdiction: 001