jmix-rs 0.3.1

Rust library for JMIX (JSON Medical Interchange) format - secure medical data exchange with cryptographic features
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320

# JMIX-RS

A Rust implementation of the JMIX (JSON Medical Interchange) format for secure medical data exchange.

## Features

- DICOM file processing and metadata extraction
- JSON Schema validation
- AES-256-GCM encryption with Curve25519 ECDH key exchange
- JWS digital signatures (Ed25519)
- Cryptographic assertions for sender/requester/receiver identity verification
- High-level builder API for envelope creation

## Installation

```toml
[dependencies]
jmix-rs = "0.2.0"
```

## Usage

### Basic JMIX Envelope

```rust
use jmix_rs::{builder::JmixBuilder, config::Config};

let builder = JmixBuilder::new();
let config = Config::from_file("config.json")?;
let (envelope, files) = builder.build_from_dicom("path/to/dicom", &config)?;
```

### With Security Features

```rust
// With encryption and signatures
let builder = JmixBuilder::with_complete_security()?;
let (envelope, files) = builder.build_from_dicom("path/to/dicom", &config)?;
let saved_files = builder.save_to_files(&envelope, &files, "output/")?;
```

### DICOM Processing

```rust
use jmix_rs::dicom::DicomProcessor;

let processor = DicomProcessor::new();
let metadata = processor.process_dicom_folder("path/to/dicom", None)?;
println!("Extracted {} instances", metadata.instance_count);
```

### Configuration Example

Create a configuration file:

```json
{
  "version": "1.0",
  "sender": {
    "name": "Healthcare Provider",
    "id": "org:provider.123",
    "contact": "admin@provider.com"
  },
  "patient": {
    "name": "John Doe",
    "id": "PAT12345",
    "dob": "1985-03-15"
  }
}
```

## Examples

```bash
# Basic envelope creation
cargo run --example build_jmix

# Digital signatures
cargo run --example jws_signing

# End-to-end encryption
cargo run --example envelope_encryption

# Identity verification
cargo run --example sender_assertions
```

## CLI (runbeam)

A small CLI is included to validate JMIX packages.

Build and run:

```bash
cargo run --bin runbeam -- validate ./tmp/<ENVELOPE_ID>.jmix
```

Flags:
- --validate-schema: enable JSON Schema validation (defaults to false)
- --schema-dir PATH: custom schema directory (default ../jmix/schemas)
- --verify-assertions: verify sender/requester/receiver assertions if present
- --key PATH: recipient secret key for decrypting encrypted packages (payload.enc)
- --json: output a machine-readable JSON report

Examples:

```bash
# Unencrypted package, no schema checks
cargo run --bin runbeam -- validate ./tmp/<id>.jmix

# Encrypted package: verify decryption + payload hash using secret key
cargo run --bin runbeam -- validate ./tmp/<id>.jmix --key ./tmp/keys_encrypted_test/recipient_secret.key

# With schema checks (requires schemas available)
cargo run --bin runbeam -- validate ./tmp/<id>.jmix --validate-schema --schema-dir ../jmix/schemas

# JSON output
cargo run --bin runbeam -- validate ./tmp/<id>.jmix --json
```

### Verifying assertions

To verify sender/requester/receiver assertions during validation, add `--verify-assertions`:

```bash
# Build your envelope with assertions (see examples/sender_assertions.rs for generation)
# Then validate with assertion checks enabled
cargo run --bin runbeam -- validate ./tmp/<id>.jmix --verify-assertions
```

### Decrypting an encrypted package

Extract the contents of `payload.enc` using the recipient's secret key:

```bash
cargo run --bin runbeam -- decrypt ./tmp/<id>.jmix \
  --key ./tmp/keys_encrypted_test/recipient_secret.key \
  --out ./tmp/decrypted
```

Tip: Temporary and example outputs are written under ./tmp/ by convention.

## Technical Details

### DICOM Processing

The library includes a DICOM processor that can:

- Detect DICOM files by magic number, file extension, and parsing validation
- Extract metadata: patient info, study details, series information
- Handle multiple files by merging metadata from multiple instances
- Fallback gracefully using config data when DICOM parsing fails

Example output:

```
Extracted DICOM metadata:
  Patient name: Some("Brown, Jane")
  Patient ID: Some("PID156695") 
  Study description: Some("CT Pulmonary Angiogram")
  Modalities: ["CT"]
  Series count: 1
  Instance count: 15
```

### Cryptographic Features

- **AES-256-GCM**: Authenticated encryption with 256-bit keys
- **Curve25519**: Elliptic curve Diffie-Hellman key exchange
- **Ed25519**: Elliptic curve digital signatures
- **SHA-256**: Cryptographic hashing for fingerprints and integrity
- **JWS**: JSON Web Signature standard (RFC 7515)

### Payload Hashing

JMIX-RS computes and validates a deterministic payload hash stored in `manifest.security.payload_hash` (format: `sha256:<hex>`):

- Unencrypted packages: The hash is computed over the contents of `payload/` as follows:
  - Recursively list files under `payload/`
  - Sort by path relative to `payload/` (Unicode codepoint order)
  - For each file: update the SHA-256 hasher with `relative/path` (UTF-8), then a single newline byte (`\n`), then the file's raw bytes
  - The final digest is emitted as `sha256:<hex>`

- Encrypted packages: The payload is first assembled as a `payload.tar` and then encrypted to `payload.enc` using AES-256-GCM with ECDH (Curve25519) and HKDF-SHA256. The payload hash is computed as the SHA-256 over the plaintext `payload.tar` bytes prior to encryption and saved in the manifest. This makes the hash independent of IVs/ephemeral keys and stable across encryptions.

During validation:
- Unencrypted: the validator recomputes the directory hash and compares it to the manifest value.
- Encrypted: when a recipient secret key is provided, the validator decrypts `payload.enc`, hashes the plaintext TAR, and compares.

### Schema Validation

The validation system supports:

- Configurable schema path (default: `../jmix/schemas`)
- Lazy loading of schemas on demand
- Comprehensive validation for manifest, metadata, audit, and files
- Detailed error reporting with schema path and validation failures

To enable schema validation:

1. Ensure schema files exist in `../jmix/schemas/` (or configure a custom directory)
2. Configure schema discovery (precedence):
   - CLI flag `--schema-dir <PATH>`
   - Environment variable `JMIX_SCHEMA_DIR=/absolute/or/relative/path`
   - Default `../jmix/schemas`
3. Run validation tests:
   ```bash
   JMIX_SCHEMA_DIR=../jmix/schemas \
   cargo test test_validate_sample_files_with_schemas -- --ignored
   ```

CLI examples:
```bash
# Use a specific schema directory
cargo run --bin runbeam -- validate ./tmp/<id>.jmix --validate-schema --schema-dir ../jmix/schemas

# Or via environment variable (no flag needed)
JMIX_SCHEMA_DIR=../jmix/schemas \
  cargo run --bin runbeam -- validate ./tmp/<id>.jmix --validate-schema
```

### Error Handling

```rust
use jmix_rs::error::{JmixError, ValidationError, DicomError, EncryptionError};

match result {
    Ok(envelope) => println!("Success: Secure envelope created"),
    Err(JmixError::Validation(e)) => eprintln!("Schema validation error: {}", e),
    Err(JmixError::Dicom(e)) => eprintln!("DICOM processing error: {}", e),
    Err(JmixError::Encryption(e)) => eprintln!("Encryption error: {}", e),
    Err(JmixError::Jws(e)) => eprintln!("Signing error: {}", e),
    Err(JmixError::Assertion(e)) => eprintln!("Assertion error: {}", e),
    Err(e) => eprintln!("Other error: {}", e),
}
```

## Testing

```bash
# Run all tests (50+ tests)
cargo test

# Run with output
cargo test -- --nocapture

# Test specific modules
cargo test encryption
cargo test jws
cargo test assertion
```

### Test Coverage

- **Unit tests (32)**: DICOM, encryption, JWS, assertions, builder, types
- **Integration tests (11)**: End-to-end security, DICOM processing, envelope structure
- **Sample validation tests (7)**: JSON sample consistency, config conversion

## Project Structure

```
src/
├── lib.rs                  # Library root
├── config.rs               # Configuration types
├── types.rs                # JMIX core types
├── builder.rs              # High-level builder API
├── validation.rs           # JSON Schema validation
├── dicom.rs                # DICOM file processing
├── encryption.rs           # AES-256-GCM encryption (ECDH+HKDF)
├── jws.rs                  # JWS digital signatures
├── assertion.rs            # Ed25519 identity assertions
├── package_validation.rs   # Package-level validation API (hash, schema, assertions, decrypt)
├── bin/
│   └── runbeam.rs          # CLI: runbeam validate
└── error.rs                # Error handling

examples/
├── build_jmix.rs       # Basic envelope creation
├── jws_signing.rs      # Digital signature example
├── envelope_encryption.rs    # End-to-end encryption
└── sender_assertions.rs      # Identity verification

samples/
├── study_1/            # Real DICOM files (15 files, 3 series)
├── sample_config.json  # Configuration example
├── sample_manifest.json
├── sample_metadata.json
├── sample_audit.json
└── sample_files.json
```

## Sample Data

The library includes real sample data for testing:

- **DICOM files**: CT study with 15 instances across 3 series
- **JSON samples**: Complete configuration and manifest examples
- **Test data**: Used in integration tests and examples

## Development

```bash
# Build and test
cargo build
cargo test

# Run examples
cargo build --examples

# Code quality
cargo clippy
cargo fmt

# Generate documentation
cargo doc --open
```

## License

This project matches the licensing of the original PHP implementation.