generate-rsa384-keys.js

const { base64url } = await import('https://cdn.skypack.dev/rfc4648');
/**
 * @param {JsonWebKey} key
 */
async function generateThumbprint(key) {
  // https://datatracker.ietf.org/doc/html/rfc7638
  const { e, kty, n } = key;
  const json = JSON.stringify({ e, kty, n });
  const encoder = new TextEncoder();
  const digest = await crypto.subtle.digest('SHA-256', encoder.encode(json));
  return base64url.stringify(new Uint8Array(digest), { pad: false });
}

/** @type {RsaHashedKeyGenParams} */
const keygenParams = {
  name: 'RSASSA-PKCS1-v1_5',
  modulusLength: 2048,
  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
  hash: { name: 'SHA-384' }
};

/** @type {RsaHashedImportParams} */
const importParams = {
  name: 'RSASSA-PKCS1-v1_5',
  hash: 'SHA-384'
};

async function generateJwkCryptoKeyPair() {
  const keyPair = await crypto.subtle.generateKey(keygenParams, true, [
    'sign',
    'verify'
  ]);
  const [publicKey, privateKey] = await Promise.all([
    crypto.subtle.exportKey('jwk', keyPair.publicKey),
    crypto.subtle.exportKey('jwk', keyPair.privateKey)
  ]);
  publicKey.kid = privateKey.kid = await generateThumbprint(publicKey);
  return {
    publicKey,
    privateKey
  };
}

const { publicKey, privateKey } = await generateJwkCryptoKeyPair();

console.log(`
🟩 PUBLIC jwks
FHIR server will fetch these public keys to verify JWT signature as described in
https://hl7.org/fhir/smart-app-launch/client-confidential-asymmetric.html#signature-verification

${JSON.stringify({ keys: [publicKey] }, null, 2)}

🚨 PRIVATE signing key - you will use these to sign your JWT to make a token request
as described in https://hl7.org/fhir/smart-app-launch/client-confidential-asymmetric.html#request

${JSON.stringify(privateKey, null, 2)}
`);