Signing Text From JavaScript
Signing Text from JavaScript
crypto.signText JavaScript method to sign a text string. It assumes that you are familiar with JavaScript and basic concepts of public-key cryptography, including public-private key pairs, digital signatures, certificates, distinguished names, and authentication.
-
Introduction to signText
signText Method
Copyright
Introduction to signText
Many kinds of electronic commerce require the ability to provide persistent proof that someone has authorized a transaction. Although SSL provides transient client authentication for the duration of an SSL connection, it does not provide persistent authentication for transactions that may occur during that connection. One way to provide such authentication is to associate a digital signature with data generated as the result of a transaction, such as a purchase order or other financial document. To support this requirement, Communicator 4.04 and later versions provide a single JavaScript method,crypto.signText, that asks the user to sign a string of text, such as a form in a web page. The private keys associated with either S/MIME or client SSL certificates may be used to create the signature. One of the parameters passed to signText determines whether it selects a certificate for signing purposes automatically or asks the user to choose one. For example, when a user fills in a form and clicks the Submit button, a call to the signText method with the parameter caOption set to "ask" displays a dialog box that shows the exact text to be signed and asks the user to choose a certificate with which to do the signing. Figure 1 shows an example of this dialog box.
Figure 1 A dialog box displayed by a call to the signText method
signText with the parameter caOption set to auto displays a similar dialog box displaying the exact text to be signed. In this case, however, no pop-up menu allowing the user to choose a signing certificate appears. Instead the dialog box just displays the name of the automatically selected certificate that will be used to sign the text. Communicator selects a certificate signed by a certificate authority (CA) whose distinguished name (DN) has been specified in another signText parameter.
After the data has been signed and both the signature and the data have been sent across the network, a CGI script running on the server can use the Signature Verification Tool(currently provided by Netscape for evaluation purposes only) to extract the digital signature and validate it.
For more information about the Signature Verification Tool, see Netscape Form Signing.
To give Netscape feedback about the Signature Verification Tool or ask questions about its use, please send email to signver-feedback@netscape.com.
signText Method
ThesignText method allows a JavaScript script to ask the user to digitally sign a text string. If the user approves the operation, signText returns a base-64-encoded PKCS #7 signed object.
Syntax
resultString = [window.]crypto.signText(stringToSign, caOption, [caNameString1, [caNameString2, . . . ]])
Parameters
ThesignText method has the following parameters:
stringToSign | The string that you want the user to sign. If you specify "ask" for the caOption parameter, this will be presented to the user in a dialog box similar to the one shown in Figure 1, so it should be human-readable.
| caOption "auto" indicates that you want Communicator to select a signing certificate automatically from those available in the certificate database. If one or more caNameString parameters are provided, Communicator chooses a certificate signed by one of the specified CAs. If no caNameString parameters are provided, Communicator selects a certificate from the entire set of available certificates that signText can use for signing."ask" indicates that you want Communicator to display a dialog box like the one in Figure 1 asking the user to select a certificate to use for signing. The pop-up menu in the dialog box lists the certificates signed by the CAs listed in the caNameString parameters. If no caNameString parameters are provided, the pop-up menu lists all certificates installed in the certificate database that signText can use for signing.
| caNameString caNameString parameter for each CA that you trust for the transaction involved. For information about the DN format, see String Representation of Distinguished Names.
| resultString If the user approves the operation, signText returns a base-64-encoded PKCS #7 signed object (see Format of Result String). Otherwise, it returns one of these error codes:error:noMatchingCert The user did not have a certificate issued by a CA specified by one of the caNameString parameters.error:userCancel The user canceled the operation.error:internalError An internal error such as an out-of-memory or decoding error occurred.
|
Description
ThesignText method requests that a user digitally sign a text string. The calling script provides the text to sign (stringToSign), a string (caOption) indicating a preference for manually or automatically selecting one of the certificates in the certificate database that can be used for signing, and (optionally) a list of CA DNs (caNameString parameters). If the caOption is set to "auto", signText automatically selects an certificate signed by a CA specified by one of the caNameString parameters. If caOption is set to "ask", signText displays all certificates in the certificate database that are signed by a CA identified by one of the caNameString parameters and invites the user to select one of them. If caOption is set to "ask" but no caNameString parameters are provided, signText displays all the certificates in the certificate database that can be used for signing.
In all cases the user may choose either to cancel the signing operation by clicking Cancel or to approve the operation by clicking OK. If the user approves the operation, Communicator asks for the password to the certificate database. If the user enters the correct password, signText signs the specified string and returns the signed string to the script.
Format of Result String
The result string returned bysignText is a base-64-encoded PKCS #7 (version 1.5) signedData object wrapped in a contentInfo object with a contentType of signedData. The fields of the signedData object have the following values:
| Field |
Value
version1
digestAlgorithmsSHA-1
contentInfo.contentTypedata
contentInfo.contentNot present. The data signed is not included in the signedData object.
certificatescaNameString parameters.
crls
| signerInfo.version1
signerInfo.issuerAndSerialNumberThe issuer and serial number for the certificate used to sign the data. signerInfo.digestAlgorithmSHA-1
signerInfo.authenticatedAttributesdata.signerInfo.digestEncryptionAlgorithmAlgorithm used to encrypt the message. signerInfo.unauthenticatedAttributes
| |
|---|
Example
This is a simple example of a script that signs a string:<html>The result of the
<head>
<script>
var foo = crypto.signText("Bill of Sale\n--------------------\n3 Tires $300.00\n1 Axle $795.00\n2 Bumpers $500.00\n--------------------\nTotal Price $1595.00", "ask");
</script>
</head>
<body>
This is an HTML page<p>
<script>
document.write(foo);
</script>
</body>
</html>
signText operation in the example above is the following string:
MIIJ4gYJKoZIhvcNAQcCoIIJ0zCCCc8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3A pretty print of the above block of base-64-encoded data looks like this:
DQEHAaCCCFAwggOaMIIDA6ADAgECAhAXEBz5eOU9d8tdc/8ZDVrNMA0GCSqGSIb3
DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwg
SW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwg
U3Vic2NyaWJlcjAeFw05NzEwMjcwMDAwMDBaFw05NzEyMjYyMzU5NTlaMIIBDzER
MA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYD
VQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVy
MUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29y
cC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs
YXNzIDEgLSBOZXRzY2FwZTEaMBgGA1UEAxMRSmVmZiA1MyBXZWluc3RlaW4xHzAd
BgkqhkiG9w0BCQEWEGpzd0BuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAsegc7zB856l6KHX2p4c7zTyUDzWKplKc/BmtqS9H5r7s9bqdtWS5coEc
SfGi6cxKLJpKp/ZkFWqftz7IJEhZeQIDAQABo4HlMIHiMAkGA1UdEwQCMAAwga8G
A1UdIASBpzCAMIAGC2CGSAGG+EUBBwEBMIAwKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwg
SW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBs
aWFiLiBsdGQuIChjKTk3IFZlcmlTaWduAAAAAAAAMBEGCWCGSAGG+EIBAQQEAwIH
gDAQBgpghkgBhvhFAQYDBAIWADANBgkqhkiG9w0BAQQFAAOBgQCt7KlvKXo9o1UU
sFSTxdnNlRpyaoR1743Rp7cBsdPqxaTe3lACTicWgWOSIHrdSF+Rzfv7EcxXj0Ed
mk0u+bWJ4in91esEivg3h5ewuRP9UlZxlgfcREug9AAhSRejLVPLgti18wqRasjy
HHpcFWb3fN3AfPH+UbvPn9CKEVX9eTCCAnkwggHioAMCAQICEFIfNR3ycH4AK77K
WYcE1TkwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZl
cmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk5MDYyNzIz
NTk1OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBT
dWJzY3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjK
I9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7jW80GqLd5HUQq
7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW7s98
7LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/AgEB
MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQAD
gYEAwfr3AudXyhF1xpwM+it3T4dFFzvj0sHaD1g5jq6VmQOhqKE4/nmakxcLl4Y5
x8poNGa7x4hF9sgMBe6+lyXv4NRu5H+ddlzOfboUoq4Ln/tnW0ilZyWvGWSI9nLY
KSeqNxJqsSivJ4MYZWyN7UCeTcR4qIbs6SxQv6b5DduwpkowggIxMIIBmgIFAqQA
AAEwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT
aWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTk5MTIzMTIzNTk1
OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD
VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN
67eehoAKkQ76OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2
FdWoqD+qEgaNMax/sDTXjzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7
obcysHswuiovMaruo2fa2wIDAQABMA0GCSqGSIb3DQEBAgUAA4GBAFJzuppV3Nw/
gn2wkJhiKoJMdgBuJT3VwglwVwEMD3cfGKH7HGAOoHU7SSFB/qdcLUxCSdP/KNiM
6p3+yQfid4JTI95V885Ek/r6TL3KNvNbZrKeyPIMXl7UobQhCTPKO1n8ksI4/K3Z
liTgLfqjKfUzaHhOtLyfaTXiqJiUczvEMYIBWjCCAVYCAQEwdjBiMREwDwYDVQQH
EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1Zl
cmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEBcQHPl4
5T13y11z/xkNWs0wCQYFKw4DAhoFAKB9MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTk3MTEwNjIyNTk0OVowHgYJKoZIhvcNAQkPMREw
DzANBggqhkiG9w0DAgIBKDAjBgkqhkiG9w0BCQQxFgQU8Lqxw+QJ7XD3GjBe6caW
VW+W6SgwDQYJKoZIhvcNAQEBBQAEQC5gsHXSlUF2MihiTSfjBdMgUmszSyRCBGau
6mWfMCN1+SAI/TBWmdN5/LhykvuHm8vgnJfQfDN4UWEOuFKsBlg=
PKCS #7 Content Info:
PKCS #7 Signed Data:
Version: 1 (0x1)
Digest Algorithm List:
Digest Algorithm (1): SHA-1
Content Information:
PKCS #7 Data:
<no content>
Certificate List:
Certificate (1):
Data:
Version: 3 (0x2)
Serial Number:
17:10:1c:f9:78:e5:3d:77:cb:5d:73:ff:19:0d:
5a:cd
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=VeriSign Class 1 CA - Individual Subscriber, O="VeriSign, Inc.", L=Internet
Validity:
Not Before: Sun Oct 26 16:00:00 1997
Not After: Fri Dec 26 15:59:59 1997
Subject: E=jsw@netscape.com, CN=Jeff 53 Weinstein, OU=Digital ID Class 1 - Netscape,
OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96", OU=VeriSign Class 1 CA - Individual Subscriber,
O="VeriSign, Inc.", L=Internet
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:b1:e8:1c:ef:30:7c:e7:a9:7a:28:75:
f6:a7:87:3b:cd:3c:94:0f:35:8a:a6:52:
9c:fc:19:ad:a9:2f:47:e6:be:ec:f5:ba:
9d:b5:64:b9:72:81:1c:49:f1:a2:e9:cc:
4a:2c:9a:4a:a7:f6:64:15:6a:9f:b7:3e:
c8:24:48:59:79
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Basic Constraints
Data:
30:00
Name:
Certificate Policies
Data:
30:80:30:80:06:0b:60:86:48:01:86:f8:45:
01:07:01:01:30:80:30:28:06:08:2b:06:01:
05:05:07:02:01:16:1c:68:74:74:70:73:3a:
2f:2f:77:77:77:2e:76:65:72:69:73:69:67:
6e:2e:63:6f:6d:2f:43:50:53:30:62:06:08:
2b:06:01:05:05:07:02:02:30:56:30:15:16:
0e:56:65:72:69:53:69:67:6e:2c:20:49:6e:
63:2e:30:03:02:01:01:1a:3d:56:65:72:69:
53:69:67:6e:27:73:20:43:50:53:20:69:6e:
63:6f:72:70:2e:20:62:79:20:72:65:66:65:
72:65:6e:63:65:20:6c:69:61:62:2e:20:6c:
74:64:2e:20:28:63:29:39:37:20:56:65:72:
69:53:69:67:6e:00:00:00:00:00:00
Name:
Certificate Type
Data:
03:02:07:80
Name:
60:86:48:01:86:f8:45:01:06:03
Data:
16:00
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
ad:ec:a9:6f:29:7a:3d:a3:55:14:b0:54:93:c5:d9:
cd:95:1a:72:6a:84:75:ef:8d:d1:a7:b7:01:b1:d3:
ea:c5:a4:de:de:50:02:4e:27:16:81:63:92:20:7a:
dd:48:5f:91:cd:fb:fb:11:cc:57:8f:41:1d:9a:4d:
2e:f9:b5:89:e2:29:fd:d5:eb:04:8a:f8:37:87:97:
b0:b9:13:fd:52:56:71:96:07:dc:44:4b:a0:f4:00:
21:49:17:a3:2d:53:cb:82:d8:b5:f3:0a:91:6a:c8:
f2:1c:7a:5c:15:66:f7:7c:dd:c0:7c:f1:fe:51:bb:
cf:9f:d0:8a:11:55:fd:79
Certificate (2):
Data:
Version: 3 (0x2)
Serial Number:
52:1f:35:1d:f2:70:7e:00:2b:be:ca:59:87:04:
d5:39
Signature Algorithm: PKCS #1 MD2 With RSA Encryption
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity:
Not Before: Wed Jun 26 17:00:00 1996
Not After: Sun Jun 27 16:59:59 1999
Subject: OU=VeriSign Class 1 CA - Individual Subscriber, O="VeriSign, Inc.", L=Internet
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:b6:14:a6:cf:4d:d0:05:0d:d8:ca:23:
d0:6f:aa:b4:29:92:63:8e:2c:f8:6f:96:
d7:2e:9d:76:4b:11:b1:36:8d:57:c9:c3:
fd:1c:c6:ba:fe:1e:08:ba:33:ca:95:ea:
be:e3:5b:cd:06:a8:b7:79:1d:44:2a:ed:
73:f2:b1:52:83:68:10:70:64:91:d7:3e:
6b:f9:f7:5d:9d:14:43:9b:6e:97:45:98:
81:47:d1:2d:cb:dd:bb:72:d7:4c:3f:71:
aa:e2:40:f2:54:39:bc:16:ee:cf:7c:ec:
ba:db:3f:6c:2a:b3:16:b1:86:12:9d:ae:
93:34:d5:b8:d5:d0:f7:3e:a9
Exponent: 65537 (0x10001)
Signed Extensions:
Name:
Certificate Basic Constraints
Data:
30:06:01:01:ff:02:01:01
Name:
Certificate Key Usage
Data:
03:02:01:06
Name:
Certificate Type
Data:
03:02:01:06
Signature Algorithm: PKCS #1 MD2 With RSA Encryption
Signature:
c1:fa:f7:02:e7:57:ca:11:75:c6:9c:0c:fa:2b:77:
4f:87:45:17:3b:e3:d2:c1:da:0f:58:39:8e:ae:95:
99:03:a1:a8:a1:38:fe:79:9a:93:17:0b:97:86:39:
c7:ca:68:34:66:bb:c7:88:45:f6:c8:0c:05:ee:be:
97:25:ef:e0:d4:6e:e4:7f:9d:76:5c:ce:7d:ba:14:
a2:ae:0b:9f:fb:67:5b:48:a5:67:25:af:19:64:88:
f6:72:d8:29:27:aa:37:12:6a:b1:28:af:27:83:18:
65:6c:8d:ed:40:9e:4d:c4:78:a8:86:ec:e9:2c:50:
bf:a6:f9:0d:db:b0:a6:4a
Certificate (3):
Data:
Version: 1 (0x0)
Serial Number:
02:a4:00:00:01
Signature Algorithm: PKCS #1 MD2 With RSA Encryption
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity:
Not Before: Sun Jan 28 16:00:00 1996
Not After: Fri Dec 31 15:59:59 1999
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
00:e5:19:bf:6d:a3:56:61:2d:99:48:71:
f6:67:de:b9:8d:eb:b7:9e:86:80:0a:91:
0e:fa:38:25:af:46:88:82:e5:73:a8:a0:
9b:24:5d:0d:1f:cc:65:6e:0c:b0:d0:56:
84:18:87:9a:06:9b:10:a1:73:df:b4:58:
39:6b:6e:c1:f6:15:d5:a8:a8:3f:aa:12:
06:8d:31:ac:7f:b0:34:d7:8f:34:67:88:
09:cd:14:11:e2:4e:45:56:69:1f:78:02:
80:da:dc:47:91:29:bb:36:c9:63:5c:c5:
e0:d7:2d:87:7b:a1:b7:32:b0:7b:30:ba:
2a:2f:31:aa:ee:a3:67:da:db
Exponent: 65537 (0x10001)
Signature Algorithm: PKCS #1 MD2 With RSA Encryption
Signature:
52:73:ba:9a:55:dc:dc:3f:82:7d:b0:90:98:62:2a:
82:4c:76:00:6e:25:3d:d5:c2:09:70:57:01:0c:0f:
77:1f:18:a1:fb:1c:60:0e:a0:75:3b:49:21:41:fe:
a7:5c:2d:4c:42:49:d3:ff:28:d8:8c:ea:9d:fe:c9:
07:e2:77:82:53:23:de:55:f3:ce:44:93:fa:fa:4c:
bd:ca:36:f3:5b:66:b2:9e:c8:f2:0c:5e:5e:d4:a1:
b4:21:09:33:ca:3b:59:fc:92:c2:38:fc:ad:d9:96:
24:e0:2d:fa:a3:29:f5:33:68:78:4e:b4:bc:9f:69:
35:e2:a8:98:94:73:3b:c4
Signer Information List:
Signer Information (1):
Version: 1 (0x1)
Issuer: OU=VeriSign Class 1 CA - Individual Subscriber, O="VeriSign, Inc.", L=Internet
Serial Number:
17:10:1c:f9:78:e5:3d:77:cb:5d:73:ff:19:0d:5a:
cd
Digest Algorithm: SHA-1
Authenticated Attributes:
Attribute (1):
Type: PKCS #9 Content Type
Value (1): PKCS #7 Data
Attribute (2):
Type: PKCS #9 Signing Time
Value (1): Thu Nov 06 14:59:49 1997
Attribute (3):
Type: PKCS #9 S/MIME Symmetric Capabilities
Value (1) (encoded):
30:0f:30:0d:06:08:2a:86:48:86:f7:0d:03:
02:02:01:28
Attribute (4):
Type: PKCS #9 Message Digest
Value (1):
f0:ba:b1:c3:e4:09:ed:70:f7:1a:30:5e:e9:
c6:96:55:6f:96:e9:28
Digest Encryption Algorithm: PKCS #1 RSA Encryption
Encrypted Digest:
2e:60:b0:75:d2:95:41:76:32:28:62:4d:27:e3:05:
d3:20:52:6b:33:4b:24:42:04:66:ae:ea:65:9f:30:
23:75:f9:20:08:fd:30:56:99:d3:79:fc:b8:72:92:
fb:87:9b:cb:e0:9c:97:d0:7c:33:78:51:61:0e:b8:
52:ac:06:58
Last Updated: 07/09/98 10:44:37
Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use