This iRules command is used to verify a signed block of data.


CRYPTO::verify [-alg <>] [-ctx <> [-final]] [-key[hex] <>] [-signature <>] [<data>]

CRYPTO::verify [-alg <>] [-ctx <> [-final]] [-key[hex] [-signature <>] [<data>]

  • Used to provide a digital signature of a block of data. Notes on the flags:
    • alg - algorithm. ASCII string from a given list (see below) The spelling is lowercase and the iRule will fail for anything not in the list. In ctx mode, alg must be given in the first CRYPTO::command and cannot be modified.
    • ctx - context is the name of a Tcl variable and can only be generated from and used in CRYPTO commands. Notes:
      • Trying to get or set value for a ctx variable will fail.
      • When a CTX variable is first used in irule, a tcl object will be generated from the given arguments (alg, key, iv, etc.).
      • A given CTX variable can only be used for one CRYPTO:: command . An irule CRYPTO::command would fail if CTX is reused for different purpose. “–final” must be used for the last CRYPTO::command for the same CTX variable to finish the CRYPTO::command. After “-final” is used, the CTX variable will be freed and the same ctx variable name can be reused.
      • When a CTX variable already has a key and an IV value stored in it, the value can only be updated before CRYPTO command really starts, that is before any data is given. After the command starts and before it finishes, updating key or IV in CTX would fail.
    • key - key (binary data). Key length is determined by alg used. Can be generated by CRYPTO::keygen
    • keyhex - key as hex data. Key length is determined by alg used. Can be generated by CRYPTO::keygen

Algorithm List

  • hmac-md5
  • hmac-ripemd160
  • hmac-sha1
  • hmac-sha224
  • hmac-sha256
  • hmac-sha384
  • hmac-sha512


set secret_key "foobar1234"

set data "This is my data"

set signed_data [CRYPTO::sign -alg hmac-sha1 -key $secret_key $data]

if { [CRYPTO::verify -alg hmac-sha1 -key $secret_key -signature $signed_data $data] } {
    log local0. "Data verified"
The secret key will normally be some large string, size generally dictated by algorithm. The data is just whatever content you want to sign. The result of the CRYPTO::sign command will be a binary value, so if you’re going store this somewhere, probably best to b64encode it first. The CRYPTO::verify command essentially takes the original data and the digital signature of that data (derived from CRYPTO::sign), decrypts that digital signature with the key, creates a new hash of the data, and then compares the two hashes. If they’re the same, then the contents have not been modified.