Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼

Web Development

Creating and Verifying Digital Signatures

Rafael Palacios is a researcher at the Instituto de Investigacion Tecnologica and Assistant Professor at the School of Industrial Engineering, Universidad Pontificia Comillas.

Web-based forms provide an efficient way of interacting with users. HTML anchor elements ("links") let users jump from one page to another by clicking on active text or figures, but many jumps may be required to reach the page of interest. On the other hand, by using a small form consisting of just one text field, a search tool can process strings entered by users and instantly find pages they want to see. However, standard HTML forms cannot verify user identity, so they must be considered equivalent to paper forms anonymously sent via mail, and not those signed and delivered in person.

In some cases it is possible to identify users by requesting a login and password. With Web services, for instance, users already registered to the system can log in and send information via forms, while the server recognizes the author. But the problem is how to subscribe for the first time or in general how to identify a person without using a login and password. Sometimes the subscription process may request an email address where the system sends a code that is required to continue the process. Such approach verifies the email account of the user, but not user identity.

Another problem is that on-line stores simply trust the data entered by users with the only basic check they make is the validity of the credit-card number. Nonetheless, many on-line stores only send merchandise to the mail address registered at the credit card, so given that the identity of the person placing the order cannot be verified; at least whatever is bought with a credit card will be sent to the owner of the card who may eventually return the goods. If the persona who places the order could be verified, there will be less risk associated to accepting an order, even if the products are not materials goods but on-line services, software licenses or electronic material. In addition, there are many situations in which a signature is required by law, such as government-related paperwork,insurance forms, legal agreements, and the like.

In common HTML forms, users fill in the requested data and hit the Submit button. Figure 1 is a sample form comprising all input object types. After the Submit button, data are sent through the Internet and processed at a server, which generates a typical congratulations page that's presented to users.

Figure 1: HTML form

In the approach we propose here, users must have at least one personal certificate previously installed in the web browser. Now when the Submit button is pressed, a pop-up window appears before the information is actually sent. The window (Figure 2) shows the text to be signed, a pull-down menu to select which certificate will be used to sign the data, and a text field to grab the master password that protect all the certificates installed in the web browser. After signing the text, form data are sent to the server along with the digital signature generated.

Figure 2: Dialog window for signing the information entered in the form

The signing process is performed in a single JavaScript function (Listing One) that can be easily added to any existing form.

<SCRIPT type="text/JavaScript">
<!-- Begin
function signForm(theForm, theWindow, validation, varnames) {
    //header text
   var texttbs = "I affirm the following information:\n";
    //header text, spanish version
    //var texttbs = "Certifico que la siguiente informacion es cierta:\n";
   var vars = "";        //to store variable names
   var signature = "";   //to store the digital signature of texttbs
   var elem;
   var formSize = theForm.elements.length;
   for(var i = 0; i < formSize; i++) {
      elem = theForm.elements[i];
      switch (elem.type) {
         case "hidden":
         case "button":
         case "submit":
         case "reset":
         case "image":
         case "password":
         case "file":
            // Do not include previous elements in the text to be signed.
         case "select-one":
            var selectValue = elem.options[elem.selectedIndex].value;
            texttbs += elem.name + "=" + selectValue + "\n";
            vars += elem.name + ",";
         case "select-multiple":
            for(var op = 0; op < elem.length; op++) {
               if(elem.options[op].selected) {
                  texttbs += elem.name + "=" + elem.options[op].value + "\n";
                  vars += elem.name + ",";
         case "radio":
            if(elem.checked) {
               texttbs += elem.name + "=" + elem.value + "\n";
               vars += elem.name + ",";
         case "checkbox":
            if(elem.checked) {
               texttbs += elem.name + "=" + elem.value + "\n";
               vars += elem.name + ",";
         //In the case of unchecked radio buttons and checkboxes, variables
         //are not sent, hence they must not be signed.
         default: //input text
            texttbs += elem.name + "=" + elem.value + "\n";
            vars += elem.name + ",";
   //Digital signature
   signature = theWindow.crypto.signText(texttbs, "ask");
   if (signature.substr(0,5)=="error") {
      alert("Signature not created\n" + signature);
      return false;
   //Store signature an vars in hidden inputs of the form
   theForm.signature.value = signature;
   theForm.varnames.value= vars;
   return true;
// End -->
Listing One: Definition of signForm function

The digital signature attached to the form achieves two main goals:

  • User authentication, because the name and email address are included in the certificate.
  • Signature (or agreement) of the data, because digital signature in most developed countries has the same legal value as printing the form, manually sign the paper, and hand it in.

When the information is received at the server, it is necessary to verify the sender (by exploring the certificate) and to verify the signature, which involves checking that the data received corresponds to the data digitally signed. PHP functions are provided to perform the verification process in the server.

To complete the whole process, a timestamp signature could be provided by the server, which will be equivalent to getting a stamping copy of the paper delivered. This final step of the process is not part of the current paper.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.