Forum Discussion

quangtran

Cirrus

Nov 28, 2022

Solved

use irule to sign data using sha256

Hello everyone, I have a request like this:

HTTP REQUEST
- header
POST /login HTTP1/1
Host: xxxxxx
<some other fields>
- Body:
<data>

----> f5 receives and uses Irule to modify the HTTP REQUEST as follows:
- Header: Unchanged
- Body:
<data> + <Hash the data string using SHA256 with the key xxxxx>
---> f5 forward request to pool

I want to use irule to do this, help me!

Any and all help is appreciated. Thanks

Hi Quangtran,

do you want to calculate the HMAC-checksum for the entire POST-data (Scenario 1) or just the "data" value itself (Scenario 2)?

Scenario 1:

hmac-sha256( the received POST string as-is including outer curly braces )

Scenario 2:

hmac-sha256( FdQZxoYBLPCgv2VPzdiUDA2Xj9KIJ\/I4BSzViIp\/CG\/ktrcdtXGYXQzGaa71R )

The quickly code iRule below uses Scenario 1 as input for HMAC calculation. The iRule uses 4 logical steps to read the payload, calculate the checksum, define the new payload and finally insert the new payload to the HTTP request before its getting forwarded to your backend. Every single step could be easily adjusted based on your needs...

when RULE_INIT {

	# Define global configuration options

	set static::max_payload_size "1048576" 		;# Limiter for maximum HTTP payload size in bytes
	set static::hmac_key "Hello World!"			;# Secrect for HMAC signing

}
when HTTP_REQUEST {

	# Check if HTTP request contains any HTTP payload and if its size does not exceed our limits...

	if { ( [string tolower [HTTP::path]] equals "/login" )
	 and ( [HTTP::method] equals "POST" )
	 and ( [HTTP::header value "Content-Length"] ne "" )
	 and ( [HTTP::header value "Content-Length"] < $static::max_payload_size ) } then {

		# Collect the HTTP payload and trigger HTTP_REQUEST_DATA event
		
		HTTP::collect [HTTP::header value "Content-Length"]

	}

}
when HTTP_REQUEST_DATA {

	# Define the input used for HMAC signing

	set temp(hmac_input) [HTTP::payload]

	# Compute the HMAC checksum for the input using our secret key

	set temp(hmac_output) [b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key $temp(hmac_input)]]

	# Contruct the new payload

	set temp(new_payload) "[string trimright [HTTP::payload] "\}"],\"hashsha256\":\"$temp(hmac_output)\"\}"

	# Replace the payload	

	HTTP::payload replace 0 [HTTP::payload length] $temp(new_payload)

	unset -nocomplain temp

}

At later stage we may or may not combine those 4 logical steps into a single syntax line, to reduce processing overhead to a minimum.. 😉

when HTTP_REQUEST_DATA {
	
	# Replace the payload with HMAC signed payload...

	HTTP::payload replace 0 [HTTP::payload length] "[string trimright [HTTP::payload] "\}"],\"hashsha256\":\"[b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key [HTTP::payload]]]\"\}"
	
}

Cheers, Kai

7 Replies

Mohamed_Ahmed_Kansoh
MVP
Nov 28, 2022
Hi quangtran ,
I think it is doable , but i did not do it before :
you can use "CRYPTO::encrypt" but I think , if using sha256 is applicable or not.
For more info and correct synatx :

https://clouddocs.f5.com/api/irules/CRYPTO__encrypt.html
Regards
- quangtran
  Cirrus
  Nov 29, 2022
  Thanks Mohamed,
  Thank you and really appreciate the feedback.

PeteWhite

Employee

Nov 28, 2022

Try this: it will add the hex string to the end of the payload

when HTTP_REQUEST {
  if { [HTTP::header exists Content-Length] } {
    HTTP::collect [HTTP::header Content-Length]
  }
}
when HTTP_REQUEST_DATA {
  set sha [HTTP::payload]
  binary scan $sha h* shahex
  HTTP::payload replace [HTTP::payload length] [string length $shahex] $shahex
}

quangtran
Cirrus
Nov 29, 2022
thanks you, i will try it

Kai_Wilke
MVP
Nov 29, 2022
Hi quangtran,

I'm not sure If i completely understand your scenario. Lets elaborate your requirements a bit...

You want to extract the POST data posted to /login URI.

You want to calculate a checksum based based on the received POST data, including a shared-key used as checksum authenticator.

You want to append the just calculated checksum to the original POST data an then forward the request to the backend.

Is this so far correct?

Question to 2.: How should the checksum be calculated? You want to use a standardized HMAC-SHA256 checksum. Or a homegrown checksum generation (something like sha256( "POST data" + "sharedkey" ).

Question to 3.: In which format should the checksum be appended to the original POST data. Any special need for sperators between the original POST data and the appended checksum? Any specific encodings (e.g. base64, hex) needed for the binary checksum?

Cheers, Kai
- quangtran
  Cirrus
  Dec 01, 2022
  Thank you and really appreciate the feedback.
  I will answer your question as follows,
  Question 1: all your comments are correct, that's what i want
  Question 2: I want to use a standardized HMAC-SHA256 checksum
  Question 3: I need the checksum to be added to the original POST data in base64 format, and form
  HTTP REQUEST
  - header: Unchanged
  POST /login HTTP1/1
  Host: xxxxxx
  <some other fields>
  - Body:
  <data> + <Hash the data string using SHA256 >
  request data
  {"data":"FdQZxoYBLPCgv2VPzdiUDA2Xj9KIJ\/I4BSzViIp\/CG\/ktrcdtXGYXQzGaa71R"
  request data after using iRule
  {"data":"FdQZxoYBLPCgv2VPzdiUDA2Xj9KIJ\/I4BSzViIp\/CG\/ktrcdtXGYXQzGaa71R","hashsha256":"akfjdafjGDJudsjSSlfdjfdsus"}
  thanks you, Kai
  - Kai_Wilke
    MVP
    Dec 01, 2022
    Hi Quangtran,
    
    do you want to calculate the HMAC-checksum for the entire POST-data (Scenario 1) or just the "data" value itself (Scenario 2)?
    
    Scenario 1:
    
    hmac-sha256( the received POST string as-is including outer curly braces )
    
    Scenario 2:
    
    hmac-sha256( FdQZxoYBLPCgv2VPzdiUDA2Xj9KIJ\/I4BSzViIp\/CG\/ktrcdtXGYXQzGaa71R )
    
    The quickly code iRule below uses Scenario 1 as input for HMAC calculation. The iRule uses 4 logical steps to read the payload, calculate the checksum, define the new payload and finally insert the new payload to the HTTP request before its getting forwarded to your backend. Every single step could be easily adjusted based on your needs...
    
    when RULE_INIT { # Define global configuration options set static::max_payload_size "1048576" ;# Limiter for maximum HTTP payload size in bytes set static::hmac_key "Hello World!" ;# Secrect for HMAC signing } when HTTP_REQUEST { # Check if HTTP request contains any HTTP payload and if its size does not exceed our limits... if { ( [string tolower [HTTP::path]] equals "/login" ) and ( [HTTP::method] equals "POST" ) and ( [HTTP::header value "Content-Length"] ne "" ) and ( [HTTP::header value "Content-Length"] < $static::max_payload_size ) } then { # Collect the HTTP payload and trigger HTTP_REQUEST_DATA event HTTP::collect [HTTP::header value "Content-Length"] } } when HTTP_REQUEST_DATA { # Define the input used for HMAC signing set temp(hmac_input) [HTTP::payload] # Compute the HMAC checksum for the input using our secret key set temp(hmac_output) [b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key $temp(hmac_input)]] # Contruct the new payload set temp(new_payload) "[string trimright [HTTP::payload] "\}"],\"hashsha256\":\"$temp(hmac_output)\"\}" # Replace the payload HTTP::payload replace 0 [HTTP::payload length] $temp(new_payload) unset -nocomplain temp }
    
    At later stage we may or may not combine those 4 logical steps into a single syntax line, to reduce processing overhead to a minimum.. 😉
    
    when HTTP_REQUEST_DATA { # Replace the payload with HMAC signed payload... HTTP::payload replace 0 [HTTP::payload length] "[string trimright [HTTP::payload] "\}"],\"hashsha256\":\"[b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key [HTTP::payload]]]\"\}" }
    
    Cheers, Kai

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

when HTTP_REQUEST {\n if { [HTTP::header exists Content-Length] } {\n HTTP::collect [HTTP::header Content-Length]\n }\n}\nwhen HTTP_REQUEST_DATA {\n set sha [HTTP::payload]\n binary scan $sha h* shahex\n HTTP::payload replace [HTTP::payload length] [string length $shahex] $shahex\n}

when RULE_INIT {\n\n\t# Define global configuration options\n\n\tset static::max_payload_size \"1048576\" \t\t;# Limiter for maximum HTTP payload size in bytes\n\tset static::hmac_key \"Hello World!\"\t\t\t;# Secrect for HMAC signing\n\n}\nwhen HTTP_REQUEST {\n\n\t# Check if HTTP request contains any HTTP payload and if its size does not exceed our limits...\n\n\tif { ( [string tolower [HTTP::path]] equals \"/login\" )\n\t and ( [HTTP::method] equals \"POST\" )\n\t and ( [HTTP::header value \"Content-Length\"] ne \"\" )\n\t and ( [HTTP::header value \"Content-Length\"] < $static::max_payload_size ) } then {\n\n\t\t# Collect the HTTP payload and trigger HTTP_REQUEST_DATA event\n\t\t\n\t\tHTTP::collect [HTTP::header value \"Content-Length\"]\n\n\t}\n\n}\nwhen HTTP_REQUEST_DATA {\n\n\t# Define the input used for HMAC signing\n\n\tset temp(hmac_input) [HTTP::payload]\n\n\t# Compute the HMAC checksum for the input using our secret key\n\n\tset temp(hmac_output) [b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key $temp(hmac_input)]]\n\n\t# Contruct the new payload\n\n\tset temp(new_payload) \"[string trimright [HTTP::payload] \"\\}\"],\\\"hashsha256\\\":\\\"$temp(hmac_output)\\\"\\}\"\n\n\t# Replace the payload\t\n\n\tHTTP::payload replace 0 [HTTP::payload length] $temp(new_payload)\n\n\tunset -nocomplain temp\n\n}

when HTTP_REQUEST_DATA {\n\t\n\t# Replace the payload with HMAC signed payload...\n\n\tHTTP::payload replace 0 [HTTP::payload length] \"[string trimright [HTTP::payload] \"\\}\"],\\\"hashsha256\\\":\\\"[b64encode [CRYPTO::sign -alg hmac-sha256 -key $static::hmac_key [HTTP::payload]]]\\\"\\}\"\n\t\n}

Forum Discussion

use irule to sign data using sha256

7 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

APM Access Policy|SSLVPN | SAML auth questionnaires

Cert Bundle Manager

PKI PIN works for users from one network, not the other.

Why does SSLO not support ACTIVE-ACTIVE mode deployments？

r4600 Tenant CPU Assignment

Related Content

Using Tcl packages in iRules

iRules Heat Map - US Only

Help with irule using switch

Using bash and tmsh to make bulk updates

decrypted tcpdump capture without using an iRule using tshark

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS