SubtleCrypto.sign()

The SubtleCrypto.sign() method generates a digital signature.

It takes as arguments a key to sign with, some algorithm-specific parameters and the data to sign. It returns a Promise which will be resolved with the signature.

You can use the corresponding SubtleCrypto.verify() method to verify the signature.

Syntax

var signature = crypto.subtle.sign(algorithm, key, data);

Parameters

  • algorithm specifies the signature algorithm to use and its parameters:
    • To use RSASSA-PKCS1-v1_5, pass the string "RSASSA-PKCS1-v1_5" or an object of the form { "name": "RSASSA-PKCS1-v1_5" }.
    • To use RSA-PSS, pass an RsaPssParams object.
    • To use ECDSA, pass an EcdsaParams object.
    • To use HMAC, pass the string "HMAC" or an object of the form { "name": "HMAC" }. 
  • key is a CryptoKey containing the key to be used for signing. If algorithm identifies a public-key cryptosystem, this is the private key.
  • data is a ArrayBuffer or an ArrayBufferView containing the data to be signed.

Return value

  • signature is a Promise that on success resolves with an ArrayBuffer containing the signature.

Exceptions

The promise is rejected when the following exception is encountered:

  • InvalidAccessError when the signing key is not a key for the request signing algorithm or when trying to use an algorithm that is either unknown or isn't suitable for signing.

Supported algorithms

The Web Crypto API provides four algorithms that can be used for signing and signature verification.

Three of these algorithms - RSASSA-PKCS1-v1_5, RSA-PSS, and ECDSA - are public-key cryptosystems, using the private key for signing and the public key for verification. These systems all use a digest algorithm to hash the message to a short fixed size before signing. The choice of digest algorithm is passed into the generateKey() or importKey() functions.

The fourth algorithm - HMAC - uses the same algorithm and key for signing and for verification: this means that the verification key must be kept secret, which in turn means that this algorithm is not suitable for many signature use cases. But it can be a good choice when the signer and verifier are the same entity.

RSASSA-PKCS1-v1_5

The RSASSA-PKCS1-v1_5 algorithm is specified in RFC 3447.

RSA-PSS

The RSA-PSS algorithm is specified in RFC 3447.

It's different from RSASSA-PKCS1-v1_5 in that it incorporates a random salt in the signature operation, so the same message signed with the same key will not result in the same signature. An extra property, defining the salt length, is passed into the sign() and verify() functions.

ECDSA

ECDSA (Elliptic Curve Digital Signature Algorithm) is a variant of the Digital Signature Algorithm, specified in FIPS-186, that uses Elliptic Curve Cryptography (RFC 6090).

HMAC

The HMAC algorithm calculates and verifies hash-based message authentication codes according to the FIPS 198-1 standard.

The digest algorithm to use is specified in the HmacKeyGenParams object that you pass into  generateKey(), or the HmacImportParams object that you pass into importKey().

Examples

RSASSA-PKCS1-v1_5

This code fetches the contents of a text box, encodes it for signing, and signs it with a private key.

/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for sign operation.
*/
function getMessageEncoding() {
  const messageBox = document.querySelector(".rsassa-pkcs1 #message");
  let message = messageBox.value;
  let enc = new TextEncoder();
  return enc.encode(message);
}

let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
  "RSASSA-PKCS1-v1_5",
  privateKey,
  encoded
);

RSA-PSS

This code fetches the contents of a text box, encodes it for signing, and signs it with a private key.

/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for sign operation.
*/
function getMessageEncoding() {
  const messageBox = document.querySelector(".rsa-pss #message");
  let message = messageBox.value;
  let enc = new TextEncoder();
  return enc.encode(message);
}

let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
  {
    name: "RSA-PSS",
    saltLength: 32,
  },
  privateKey,
  encoded
);

ECDSA

This code fetches the contents of a text box, encodes it for signing, and signs it with a private key.

/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for sign operation.
*/
function getMessageEncoding() {
  const messageBox = document.querySelector(".ecdsa #message");
  let message = messageBox.value;
  let enc = new TextEncoder();
  return enc.encode(message);
}

let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
  {
    name: "ECDSA",
    hash: {name: "SHA-384"},
  },
  privateKey,
  encoded
);

HMAC

This code fetches the contents of a text box, encodes it for signing, and signs it with a secret key.

/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for sign operation.
*/
function getMessageEncoding() {
  const messageBox = document.querySelector(".hmac #message");
  let message = messageBox.value;
  let enc = new TextEncoder();
  return enc.encode(message);
}

let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
  "HMAC",
  key,
  encoded
);

Specifications

Specification Status Comment
Web Cryptography API
The definition of 'SubtleCrypto.sign()' in that specification.
Recommendation Initial definition.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Basic supportChrome Full support 37Edge Partial support 12
Notes
Partial support 12
Notes
Notes Not supported: RSA-PSS, ECDSA.
Firefox Full support 34
Full support 34
No support 32 — 34
Disabled
Disabled From version 32 until version 34 (exclusive): this feature is behind the dom.webcrypto.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE Partial support 11
Notes
Partial support 11
Notes
Notes Returns CryptoOperation instead of Promise
Opera Full support 24Safari Full support 7WebView Android Full support 37Chrome Android Full support 37Edge Mobile Full support 12Firefox Android Full support 34
Full support 34
No support 32 — 34
Disabled
Disabled From version 32 until version 34 (exclusive): this feature is behind the dom.webcrypto.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 24Safari iOS Full support 7Samsung Internet Android Full support 6.0

Legend

Full support  
Full support
Partial support  
Partial support
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.

See also

Document Tags and Contributors

Contributors to this page: wbamberg, rugk, jvmccarthy, fscholz, Dans24, abbycar, groovecoder, dskloet, teoli
Last updated by: wbamberg,