Forum Discussion
NimbostratusHMAC Authentication using F5
We are trying to use the below iRule, as mentioned in the link https://devcentral.f5.com/codeshare/akamai-g20-header-authentication, which apparently is not working as the CRYTO::sign returns a hash which is a binary blob but the normal hashing outside is in string format
HMAC generated using this link : https://www.freeformatter.com/hmac-generator.html
The Implementation is that we send a Signature and data header to f5 and the signature header is generated (using the data sent + the URL of the request) with a secret key in client side. Once F5 gets these two headers, it should set the data header + path into a variable and sign it with HMAC SHA256 algo and the secret key present in F5. Then the hash sent by the client and the hash generated will be matched to see if they are the same. Else the request will be dropped.
iRule: when HTTP_REQUEST { if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} { set secret_key "pass" log local0. "$secret_key" set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::Path]" log local0. "$data" set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]" log local0. "$signature" set signed_data [CRYPTO::sign -alg hmac-sha256 -key $secret_key $data] log local0. "$signed_data" if { $signed_data eq $signature } { log local0. "Signatures match" } } }
Like you mentioned, the
returns a binary. You need to convert this to a hexidecimal string. The iRule below works for me.CRYPTO:signwhen HTTP_REQUEST { if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} { set shared secret here set secret_key "pass" set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::path]" set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]" set signed_data_binary [CRYPTO::sign -alg hmac-sha256 -key $secret_key $data] binary scan $signed_data_binary H* signed_data_hex if { $signed_data_hex eq $signature } { log local0. "Signatures match" } } }
