Web Crypto API
Posted on:Web Crypto API — An Authentification of Data and People in SSL
Unofficial Draft 01 June 2010
- Editor:
- Channy Yun, Mozilla Korea Community
This document is licensed under a Creative Commons Attribution 3.0 License.
This document is licensed under a Creative Commons Attribution 3.0 License.
This document defines APIs for signing the message by the user certificate issuing from the certificate authority for SSL communications. It provides cryptographic functions like handling the user certificate, secure login/logout and verifying the authentity of data i.e. digital signatures.
This document is merely a public working draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organisation.
This section is non-normative.
WebCrypto Object implements an interface exposed by a script engine that allows scripts to perform PKI based functionality, such as issuing the user certificate, signing the message and session authentication in the only HTTPS connection.
Some simple code to do signing message from the user certificate.
var crypto = new WebCrypto(); function login() { var crypto = new WebCrypto(); result = crypto.login(); // Launching prompt window to select user certificate } function generateCSR() { with (document.forms[0]) { crmfObject = crypto.generateRequest( "CN=" + name.value, password.value, "","","", 1024, null, "rsa-dual-use"); cert_request.value = crmfObject.request; submit(); } return false; } function signText() { var foo = crypto.signText("Transfer USD1 to Some bank", "ask"); // Launching prompt window to select user certificate } function importCertificate() { keypair = crypto.exportKeypair("PKCS#12"); // Launching prompt window to select p12 file from file system or SmartCard. }
This specification must meet the following requirements:
This specification must meet the following use cases:
keygen
.WebCrypto
InterfaceWebCrypto
Object implements an interface used by scripts to programmatically secure communications to their HTTPS server with the user certificate.
interface WebCrypto { readonly attribute DOMString version; attribute boolean enableSmartCardEvents; DOMString random(in long numBytes); DOMString generateCertRequest(in DOMString requestedDN, in DOMString regToken, in boolean authenticator, in DOMString escrowAuthorityCert, in DOMString finalCode, in DOMString keySize, in DOMString keyParams, in DOMString keyGenAlgorithm); DOMString importUserCert(in DOMString nickname, in DOMString cmmfResponse, in boolean doForcedBackup); DOMString viewCertInfo(in DOMString nickname); DOMString validateUserCert(in DOMString nickname); DOMString signText(in DOMString stringToSign, in DOMString caOption); DOMString decryptText(in DOMString stringTodecrypt, in DOMString caOption); DOMString verifySign(in DOMString stringToverify, in DOMString caOption); void importKeypair(in DOMString cipherFlag); void exportKeypair(); void validateUserCert(); void revokeUserCert(); attribute boolean login(); attribute boolean logout(); };
generateCertRequest
methodThe generateCertRequest method generates a sequence of certificate requests that has multiple requests. The user agent must make one request for each key pair that is generated.
When the generateCertRequest("requestedDN", "regToken", "authenticator", "escrowAuthorityCert", "finalCode", keySize, "keyParams", "keyGenAlgorithm")
method is invoked, the user agent must run these steps:
importUserCert
methodThe importUserCert method loads certificates into the keystore or SmartCard if the corresponding key is found there.
viewCertInfo
methodThe viewCertInfo method shows detail informations of the specific certificate of given nickname.
validateUserCert
methodThe validateUserCert method checks validity of the specific certificate of given nickname by communication to Certificate Revocation List or valid OCSP server.
This section non-normative
signText
methodThe signText method generates digitally signed encrypted messages by selected the user certificate given text strings. When the signText(“stringToSign”, “caOption”) method is invoked, the user agent must run these steps:
decryptText
methodThe decryptText method decrypts digitally signed messages from the server with the user certificate. When the decryptText(“stringTodecrypt”, “caOption”) method is invoked, the user agent must run these steps:
veryfySign
methodThe veryfySign method verifies digitally signed encrypted message if the integrity is guranteed or not.
This section non-normative
importKeypair
methodThis importKeypair method import a key pair into a keystore from PKCS #12 or PEM bundle file.
exportKeypair
methodThis section non-normative
This section non-normative
login
attributelogout
attributeversion
attributeenableSmartCardEvents
attributeThe enableSmartCardEvents
attribute listens for SmartCard insertion and removal events. By setting webcrypto.enableSmartCardEvents to true, the system is ready for listening of these events. Two smart card related events are generated “smartcard-insert” when SmartCards are inserted, and “smartcard-remove” when SmartCards are removed.
function onSmartCardChange() { window.location.reload(); } function register() { window.crypto.enableSmartCardEvents=true; document.addEventListener("smartcard-insert",onSmartCardChange,false); document.addEventListener("smartcard-remove",onSmartCardChange,false); } function deregister() { document.removeEventListener("smartcard-insert",onSmartCardChange,false); document.removeEventListener("smartcard-remove",onSmartCardChange,false); }
random
methodThis guideline is to maintain the consistency of user interfaces for avoiding confusion of the user between the user agent.
When the user logs in the HTTPS server, the user agent shows the important information of HTTS server i.e. the URL, company name and basic location informations.
The user agent should avoid pop-up style window to select the user certificate.
When the user signs the text with the user certificate, the user agent shoud show signing text to the user.
The user agent should avoid pop-up style window to select the user certificate.
This section explains security considerations for this specification.
keygen
element to key-pair generator/input controlNo normative references.
No informative references.