ltm rule command CRYPTO sign
iRule(1) BIG-IP TMSH Manual iRule(1)
CRYPTO::sign
Provides a digital signature of a block of data.
SYNOPSIS
CRYPTO::sign (('-alg' ('hmac-md5' | 'hmac-ripemd160' | 'hmac-sha1' |
'hmac-sha224'
| 'hmac-sha256' | 'hmac-sha384' | 'hmac-sha512'))
('-ctx' CONTEXT)
(('-key' | '-keyhex') KEY)
('-signature' SIGNATURE)
('-final')
)#
(CRYPTO_DATA)?
DESCRIPTION
This iRules command is used to provide a digital signature of a block
of data.
CRYPTO::sign [-alg <>] [-ctx <> [-final]] [-key[hex] []
* Used to provide a digital signature of a block of data. Notes on
the flags:
+ alg - algorithm. ASCII string from a given list (see below)
The spelling is lowercase and the iRule will fail for anything
not in the list. In ctx mode, alg must be given in the first
CRYPTO::command and cannot be modified.
+ ctx - context is the name of a Tcl variable and can only be
generated from and used in CRYPTO commands. Notes:
o Trying to get or set value for a ctx variable will fail.
o When a CTX variable is first used in irule, a tcl object
will be generated from the given arguments (alg, key, iv,
etc.).
o A given CTX variable can only be used for one CRYPTO::
command . An irule CRYPTO::command would fail if
CTX is reused for different purpose. "aXXfinal" must be
used for the last CRYPTO::command for the same CTX
variable to finish the
CRYPTO::command. After "-final" is used, the CTX variable
will be freed and the same ctx variable name can be
reused.
o When a CTX variable already has a key and an IV value
stored in it, the value can only be updated before CRYPTO
command really starts, that is
before any data is given. After the command starts and
before it finishes, updating key or IV in CTX would fail.
+ key - key (binary data). Key length is determined by alg used.
Can be generated by CRYPTO::keygen
+ keyhex - key as hex data. Key length is determined by alg
used. Can be generated by CRYPTO::keygen
Algorithm List
* hmac-md5
* hmac-ripemd160
* hmac-sha1
* hmac-sha224
* hmac-sha256
* hmac-sha384
* hmac-sha512
RETURN VALUE
VALID DURING
EXAMPLES
set secret_key "foobar1234"
set data "This is my data"
set signed_data [CRYPTO::sign -alg hmac-sha1 -key $secret_key $data]
if { [CRYPTO::verify -alg hmac-sha1 -key $secret_key -signature $signed_data $data] } {
log local0. "Data verified"
}
The secret key will normally be some large string, size generally
dictated by algorithm. The data is just whatever content you want to
sign. The result of the CRYPTO::sign command will be a binary value, so
if you're going store this somewhere, probably best to b64encode it
first. The CRYPTO::verify command essentially takes the original data
and the digital signature of that data (derived from CRYPTO::sign),
decrypts that digital signature with the key, creates a new hash of the
data, and then compares the two hashes. If they're the same, then the
contents have not been modified.
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-11.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)