QA/Signed Text
From MozillaWiki
< QA
Contents
Background
Firefox has a feature to allow users to digitally sign form data before it is sent to the server for processing. This page describes that feature of Javascript, called crypto.signText().
UI
Code Sample
Here is some sample code that will show how the crypto.signText() function works in Firefox.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="Author" content="Bob Lord" />
<script type="text/javascript">
var shoppingCart = "Bill of Sale\n--------------------\n\
3 Tires $300.00\n\
1 Axle $795.00\n\
2 Bumpers $500.00\n\
--------------------\n\
Total Price $1595.00";
function submitMyForm() {
var element = document.getElementById('mytext');
element.innerHTML=crypto.signText(shoppingCart,"ask");
}
</script>
<title>
Form Signing Example
</title>
</head>
<body>
<p>
<b>Shopping Check Out</b>
</p>
<p>
Your shopping cart has the following items in it:
</p>
<pre>
<script type="text/javascript">
document.write(shoppingCart);
</script>
</pre>
<p>
If you are ready to check out, click here to digitally sign the order and to submit it.
</p>
<form id="input" onclick="submitMyForm();" action="#">
<input type="submit" value="Submit my order!" />
</form><br />
<hr />
<p>
This is what the server will see:
</p>
<div id="mytext2"
style="font-family:monospace; display:table; font-size:8pt; padding: 5px; border:thin solid;">
<pre id="mytext">Signed text will show up here.</pre>
</div>
<p>
</p>
</body>
</html>
Decoding
Once you submit the signed form to the server, you can verify the signature using the signver tool from the NSS libraries.
$ signver -d . -a -i signedData.txt< sig.txt signatureValid=yes
It's important to make sure that the data in the signedData.txt file is exactly the same as what was signed. Stray line feeds can cause the signature to not validate.
